Exposed data from 9.4 million Cathay Pacific customers

On October 24, 2018, Cathay Pacific Airlines reported that it had suffered a major security incident related to the theft of personal and financial data from 9.4 million customers.

The company has detected the incident by conducting its security checks and has discovered unauthorized access to a portion of its customer database that included passenger names, nationalities, birthdates, telephone numbers, e-mails, physical addresses and passport numbers, as well as 403 expired credit card numbers and 27 active credit cards.

Ruper Hogg, Cathay Pacific CEO, said they acted immediately to resolve the incident as they are conducting a thorough investigation and attempting to strengthen their security measures.

Update 12/11/2018: In a submission made by the airline to Hong Kong’s Legco (its Legislative Council; broadly, the semi-autonomous Chinese territory’s equivalent of Parliament), the airline has admitted that it was under attack for three solid months, since March 2018, before it took half a year to tell anyone, and what they presented as "suspicious activity" was a large-scale attack on their servers. As an explanation for the delay in telling anyone about the hack, Cathay said it “wanted to be able to give a single, accurate and meaningful notification to each affected passenger, rather than to provide an overly broad and non-specific notice.”