Cathay Pacific revealed a data breach from earlier this year that affects around 9.4 million customers, whose records that have been accessed with details including credit card numbers, passport information, and postal addresses.
On a dedicated website that the airline has set up for those who may be affected by the breach, Cathay Pacific stated that while the combination of data varies among the affected passengers, no travel or loyalty profile, and passwords were accessed in full or compromised. The airline will also report to each Marco Polo Club, Asia Miles, or Cathay Pacific site user who was affected individually what details that were accessed.
Besides credit card numbers, passport numbers, and postal addresses, the other information that may have been accessed include passenger names, frequent flyer program membership numbers, customer service remarks, and historical travel information.It was reported that around 403 expired credit card numbers, and 27 credit card number without a CVV were accessed.
In a statement by the airline, Cathay Pacific Chief Executive Officer Rupert Hogg said, “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.
“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”
Cathay Pacific’s data breach is follow similar breaches on other airlines such as Delta and British Airways, and the airline has reached out to the Hong Kong Police and other relevant authorities. While based in Hong Kong, the airline’s presence in Europe could result in more scrutiny and trouble with the newly passed European Union General Data Protection Regulation (GDPR) that requires reporting any cyber-breach within three days of discovering it.
If you are a member of Cathay Pacific’s frequent flyer programs or have booked travel with them, you can email the airline at firstname.lastname@example.org or visit their dedicated page at infosecurity.cathaypacific.com.