Cathay Pacific, one of the main airlines in Hong Kong, says records on as many as 9.4 million passengers may have been stolen in a data breach.
The airline said in a statement Wednesday that there was “no evidence” that passenger data had been misused, but warned that passenger names, dates of birth, nationalities, phone numbers, email and postal addresses, and passport and identity card numbers may have been taken. Historical travel information and remarks made by customer service was also accessed.
A little over 400 expired credit card numbers were accessed, including 27 credit card numbers without verification numbers.
No passwords were taken in the breach, the company said.
The company said that it first identified unauthorized access to its systems in March, but didn’t say why it took more than six months to reveal the breach publicly. The company didn’t immediately respond to a request for comment outside business hours. That might be a problem for the company in Europe, where the recently introduced General Data Protection Regulation (GDPR) now requires organizations to notify the authorities and customers of a breach within three days. Companies flouting the law can face fines of up to four percent of their global annual revenue.
The company didn’t say if European authorities were notified, but Hong Kong police are investigating the breach.
Chief executive Rupert Hogg apologized for the breach. “We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures,” he said.
The airline is one of the largest and oldest airlines around, jetting more than 30 million passengers around the world each year.
It’s the second airline security incident this year. British Airways admitted a website and app breach earlier this year, which security researchers later found was caused by credit card skimming malware injected on its site.