Cathay Pacific Airways, which is struggling to turn a profit, announced on Wednesday a massive data breach of its computer system that happened seven months ago.
The unauthorized access to the data of passengers of Cathay Pacific and wholly owned subsidiary Hong Kong Dragon Airlines affected as many as to 9.4 million people, the company said.
The airline discovered suspicious activity on its network in March and was able to contain it soon afterwards. It confirmed in early May that some personal data of its customers were accessed with no authorization, the Hong Kong Economic Journal reports.
The data included passenger name, nationality, date of birth, phone number, email, physical addresses, passport number, identity card number, frequent flyer program membership number, customer service remarks, and historical travel information, along with 403 expired credit card numbers and 27 credit card numbers with no card verification value.
The combination of data accessed varies for each affected passenger, Cathay said, adding that the incident had no impact on flight safety since the affected information systems are separate from its flight operations network.
The airline also said it has no evidence that any personal information has been misused. It said police have been notified and relevant authorities are being notified as well.
Cathay chief executive Rupert Hogg apologized for the data breach, noting that no customer travel or loyalty profile had been accessed in full and no passwords were compromised.
He said measures have been taken to enhance the company’s IT security.
The company is contacting affected passengers through multiple communications channels, and providing them with information on steps they can take to protect themselves, Hogg said.
Cathay suggested anyone who believes they may have been affected by the incident should contact the company via a dedicated website – infosecurity.cathaypacific.com – which also provides information on the event and what to do next. They may also send an email to [email protected]
There is also a dedicated call center available after 12:30 p.m. Thursday (toll free numbers are available on infosecurity.cathaypacific.com).
Privacy Commissioner for Personal Data Stephen Wong Kai-yi expressed serious concern over the data breach as the incident might involve a vast amount of personal data of local and foreign citizens.
Civic Party lawmaker Jeremy Tam Man-ho, a former pilot, urged local companies holding personal information of their customers, not just airlines, to review their computer security systems.
Tam said the culprits behind the data breach would probably find it hard to take advantage of the acquired information since the accessed identity card numbers could be only partially viewed.
Meanwhile, a cyber security expert said affected Cathay customers should immediately change the passwords of their affected online accounts, including membership accounts with Asia Miles and Marco Polo Club.
As to the delay in the announcement of the data breach, Paul Loo, Cathay’s chief customer and commercial officer, said in a radio program on Thursday morning that the company was trying to avoid introducing unnecessary panic among its customers and had to spend more time to find out what really happened.
– Contact us at [email protected]