Cathay Pacific hit by data breach affecting up to 9.4m passengers

Leak includes passport numbers, contact details and travel histories

Cathay Pacific said that it first detected “suspicious activity” in March. Photograph: Reuters

Cathay Pacific said that it first detected “suspicious activity” in March. Photograph: Reuters

 

Cathay Pacific, Hong Kong’s flag carrier, has suffered a huge data leak, revealing late on Wednesday that someone gained “unauthorised access” to the data of up to 9.4 million passengers, including passport numbers, contact details and travel histories.

The airline said in a press release that it had “no evidence that any personal information has been misused” and was in the process of contacting affected customers, having already informed the Hong Kong police.

Cathay Pacific, which is 30 per cent owned by state company Air China and 45 per cent by the Swire conglomerate, has been struggling under the weight of competition from state-backed rivals in mainland China and the Gulf.

“We are very sorry for any concern this data security event may cause our passengers,” said Rupert Hogg, the airline’s chief executive. “We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cyber security firm, and to further strengthen our IT security measures.”

The airline said that it first detected “suspicious activity” on its IT systems in March and confirmed the “unauthorised access” to certain personal information in early May.

No passwords

It said the combination of data accessed varied by passenger but included passenger name, nationality, date of birth, contact details, passport number, identity card number, frequent flyer programme membership number and historical travel information.

It added that no passwords and only a small number of credit cards were compromised.

The breach is the latest in a series of aviation-sector cyber security incidents. In September, British Airways disclosed that hackers had stolen data relating to about 380,000 customers from its website and mobile app during a two-week period beginning on August 21, at the height of the summer holiday season.

In April, Delta Air Lines said one of its suppliers had been the victim of a data breach, while also in September Air Canada said its mobile app had been hit, potentially affecting 20,000 people. – Copyright The Financial Times Limited 2018