Cathay Pacific Suffers Huge Data Breach – 9.4million Customers Affected

Just a day after Cathay Pacific announced that their arrivals lounge in Hong Kong was closing, they reveal that they have suffered a huge data breach.

How huge? Approx 9.4 Million records have been released onto the open market.

Cathay Pacific A350
Cathay Pacific recently took delivery of their first A350 aircraft.

What happened?

Back in March, Cathay Pacific’s database server suffered a leak. Whether or not this was the world of hackers, scammers or just plain human error has not yet been revealed.

Cathay, of course, wanted to confirm if this leak was real and took two months to confirm it in May.

They then sat on the information until now (October). Why they decided to not reveal it for so long is anyone’s guess. Perhaps they were waiting for their troubling time earlier this year to boil over, were they reported losses for the last financial year.

What was leaked?

In a recent statement, Cathay revealed what data was actually leaked.

“The types of personal data accessed were the names of passengers, their nationalities, dates of birth, telephone numbers, email, physical addresses, passport numbers, identity card numbers, frequent flyer programme membership numbers, customer service remarks, and historical travel information.” – Cathay Pacific Statement

The statement went on to suggest that approximately 860,000 passport numbers and approximately 245,000 Hong Kong identity card numbers were accessed.

Some credit card information was accessed, but no PIN or CCV was leaked. It is likely that Cathay did not have this on file.

They additionally said that the IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety.

Cathay has said there is no evidence that this has affected anyone so far and that where ever the data is, has not been abused.

But they have still handed the case over to the Hong Kong police.

What does this mean for Cathay Pacific?

This data leak news comes off the heels of a similar incident with British Airways, in which 380,000 records were leaked. Much of this data was the same, traveler information, passports etc, however, what is different is how British Airways handled it.

British Airways admitted what had occurred almost as it happened, letting various agencies and their customers know that their information may have been comprised. The sooner the victims of the data leak are notified, the sooner they can take action to prevent being impacted (Thought scamming, identity theft etc).

But why did Cathay Pacific wait so long?

That is the question that many are asking, from twitter:

To Hong Kong government officials:

Hong Kong’s privacy commission on Thursday expressed serious concern over a data breach at Cathay Pacific Airways (0293.HK) and urged the airline to notify passengers affected by the leak as soon as possible and explain the details. – Routers

Needless to say, Cathay Pacific is already feeling the effects, with their share price slumping six percent since Thursday. Because they waited so long, they might face costly GDPR repercussions due to the amount of time that passed, as in European law (Where Cathay operates) states that data leaks must be revealed as they happen.

It remains to be seen what this investigation will reveal.

Do you think Cathay Pacific took the right action? Let us know in the comments.