Cathay Pacific airline reported a data breach today that affected 9.4 million customers exposing a large range of personally identifiable information and a limited amount of credit card data.
Airline officials said in a statement that the breach was revealed during a security review when unauthorised access was discovered in the system containing passenger data. The company said it does not believe the compromised information has been misused and that this computer network is not connected to flight operations.
"We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised," Cathay Pacific CEO Rupert Hogg said in a statement.
The data contained in the exposed system included passengers names, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer program membership number, customer service remarks and historical travel information. Additionally, 430 credit cards were accesses, of these 403 were expired and 27 active, but no CVV numbers for the latter were exposed.
Webroot senior security analyst Randy Abrams noted the airline could be in some trouble with the European Union as under GDPR companies doing business in the EU must report any data breaches within 72 hours.
"In addition to the reputation cost, Cathay Pacific may face costly GDPR repercussions due to the amount of time that passed between the discovery of the breach and reporting it to the public," he told SC Media.
* This article originally appeared in SC Magazine in the US.