Hong Kong airline Cathay Pacific has admitted to a massive data breach in March that may have resulted in up to 9.4 million customers having personal information stolen.
Some of the information that may have been compromised includes names, date of birth, passport information, postal and email addresses, nationality and phone numbers.
Travel information, frequent flyer numbers and customer service comments were also breached - as were a total of 403 expired and 27 current credit card numbers that were devoid of CVV numbers. At the time of writing there has been no word on whether unexpired credit cards with CVVs were also compromised.
The airline has stated on its website that passenger information has not been misused.
"We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.
Cathay Pacific announced today that as part of its ongoing IT security processes, it has discovered unauthorised access to some of its information system containing passenger data of up to 9.4 million people. Upon discovery, the company took immediate action to investigate and contain the event. The company has no evidence that any personal information has been misused. The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety."
There has been no clear explanation as to why it took the airline almost seven months to disclose the breach. However, Cathay Pacific's Chief Executive Officer Rupert Hogg apologised for the incident and stated that "We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures." Cathay Pacific is also reportedly working with the Hong Kong police on the investigation.
Considering that the airline flies all over the world, including Europe, it will be interesting to see whether it will be subject to a fine under the General Data Protection Regulation (GDPR), which came into effect on May 25. Organisations that operate within Europe must disclose breaches to customers and authorities alike within days of discovery.
If you think you may have been affected by this breach, you can find out more information here here.
Yahoo’s ongoing legal troubles related to the biggest data breach in history appear to be coming to a close. It has submitted a settlement to a US district court agreeing to pay victims $US50 million ($70.8 million) along with some other benefits. Anyone who spent time undoing damage from the breach should pay attention.