Cathay Pacific Airways, an international airline from Hong Kong, publicly reported yesterday (24 Oct 2018) that it has suffered a data breach affecting approximately 9.4 million passengers. The airline posted “We have discovered unauthorised access to some of our passenger data. For Data Security Event support, please DM @cxinfosec for assistance.” to 539k followers on their Twitter (@cathaypacific) account yesterday.

The incident, which was reported to be discovered in March this year, involved stolen passport information, identity card numbers, names, dates of birth, and postal addresses. Details such as where passengers’ travel destination and a few hundred expired credit card numbers were also accessed. However, no passwords or credit card cvv codes were stolen.

As to why the airline did not reveal anything when they discovered the suspicious activity in March, Cathay Pacific’s chief customer and commercial officer, Paul Loo said that they did not want to create “unnecessary scare” and only announce once they understood how each of their customer has been affected. The airline added that they were able to immediately respond and contain the breach in March with a leading cyber security firm and had their information systems patched since. Cathay Pacific also said that they have notified the Hong Kong Police and there was no evidence that the stolen personal information has been misused.

After news broke about the breach, Cathay Pacific’s shares went down by 6.8%, to HKUS$9.90, the lowest it has seen in 9 years. Concurrently, the airline is undertaking an exercise to cut costs and increase revenue to keep up with other airlines in this competitive sector.

How to know if you are affected?

The airline has announced that they will be contacting affected passengers in the coming days. However, Cathay has set up a site https://infosecurity.cathaypacific.com explaining more about the breach and steps to follow if you believe you have been affected.

Written by: Liwen