Cathay Pacific Data Breach Affects 9.4 million People
Hong Kong based airline Cathay Pacific has announced a major data breach affecting the data of up to 9.4 million passengers.
The breach took place in March when hackers gained access to 860,00 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 card numbers with no CVV card verification codes.
Full data exposed in the breach included passenger names, nationality, date of birth, address, telephone number, email address, passport number, identity card number, frequent flyer membership number, customer service comments and historical travel information.
It appears that no passwords have been compromised in the breach and the airline has assured passengers that flight safety will not be affected as the hacked IT systems are separate to its flight operations systems.
Cathay Pacific CEO, Rupert Hogg, released a statement apologising to the airline’s customers: “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event and commenced a thorough investigation with the assistance of a leading cybersecurity firm to further strengthen our IT security measures.
“We are in the process of contacting affected passengers, using multiple communications channels and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”
The breach is just the latest in a string of attacks on the aviation industry. In April, Delta Airlines confirmed a cyber-attack on one of its suppliers exposing the credit card details of thousands of its passengers. In August, Air Canada, revealed that 20,000 customers had been affected by an attack on its mobile app, and in September, British Airways announced a huge breach affecting the data of 380,000 of its customers.
British Airways was swift to make an announcement confirming the breach, however it’s taken Cathay Pacific over 6 months to publicly announce the attack. Despite the Airline being based in Hong Kong, it does have a presence in Europe which may make it liable for fines under the GDPR.
The GDPR requires that organisations disclose any personal data breaches to the relevant supervisory authority within 72 hours of detection. Organisations in breach of the GDPR can be fined up to 4% of annual global turnover or 20 Million Euros (whichever is greater). Fines will depend on the severity of the breach and if organisations have taken steps to show they are compliant.
Following the disclosure of the breach, shares of Cathay Pacific have tumbled nearly 6% in Hong Kong trading.