Cathay Pacific has revealed a data breach in March exposed the information of up to 9.4 million passengers.
The airline said that details including “passenger name, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer programme membership number, customer service remarks and historical travel information were all “accessed”.
“In addition, 403 expired credit card numbers were accessed,” it said in a statement.
“Twenty-seven credit card numbers with no CVV were accessed. The combination of data accessed varies for each affected passenger.”
Cathay Pacific said it took “immediate action to investigate and contain the event” after uncovering it.
However, it admits elsewhere that the breach occurred more than six months ago.
“We initially discovered suspicious activity on our network in March this year,” it said.
“Upon discovery, we took immediate action to contain the event, to commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.
“Unauthorised access to certain personal data was confirmed in early May. Since that time, analysis of the data has continued in order to identify affected individuals and to determine whether the data at issue could be reconstructed.”
CEO Rupert Hogg said the airline had “no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”
Cathay Pacific said that “where possible, [it is] offering ID monitoring services” from Experian to affected passengers.
“This service monitors if your personal data may be available on public websites, chat rooms, blogs, and non-public places on the internet where data can be compromised such as dark web sites.”
The airline said it had called in a “leading cybersecurity firm” as well as Hong Kong police to investigate.
It has also set up a dedicated website – infosecurity.cathaypacific.com – for flyers who think they may have been impacted.