Hong Kong-based airline Cathay Pacific acknowledged that it had suffered a data breach seven months ago, with data on 9.4 million passengers possibly stolen. The delay in informing the public about the data breach has raised concern from both the public and the Hong Kong government.
Unauthorised individuals gained access to the airline’s private user information, including phone numbers, dates of birth, frequent flier membership numbers, and passport and government ID numbers, as well as information on passengers’ past travels, the New York Times reported. The airline said that 27 credit card numbers had been obtained, as well as 403 expired credit card numbers. However, the security codes of the valid credit cards were not compromised.
According to the company, no passwords were stolen, and there would be no effect on flight operations and safety. It first became aware of the breach in May, after detecting suspicious activity on its network two months prior. The airline did not reveal information about the culprit and why it did not announce the breach sooner.
The Hong Kong government issued a statement on Friday, saying that it is extremely concerned about the breach, and that the public is questioning whether the flag carrier airline is doing enough to remedy the issue, the South China Morning Post reported.
The Office of the Privacy Commissioner for Personal Data strongly criticised the airline for waiting for over half a year before coming forward about the breach.
The breach, which could be one of the largest ever to hit an airline, as well as the subsequent legal and reputational fallout could serve as a learning point for companies, including cyber insurance providers. Also, with the growing market for personal information on the dark web, the unauthorised access of data could severely affect the victims, exposing them to identity theft and other illicit activities such as insurance fraud.
