The personal data of 9.4m Cathay Pacific passengers has been stolen in a cyber attack on the Hong Kong airline.
The company said the breach targeted its main business as well as its Hong Kong Dragon Airlines subsidiary.
Data stolen in the breach includes 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 current credit numbers.
The names, nationalities, passport numbers, date of birth, email and home addresses of customers was included in the hack. No passwords are thought to have been accessed.
The company said that it has no evidence to suggest that any of the stolen information has been misused since the data breach. However, stolen customer data is immensely valuable to hackers, who can sell the information on.
Ryan Wilk, vice president at NuData Security said “Data in the wrong hands – especially payment card information – can have a huge impact on customers, far beyond the unauthorised use of their cards.”
“Payment card information, combined with other user data
from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cyber criminals and used for myriad criminal activities.”
Cathay Pacific said that it initially detected suspicious activity on its computer network in March, and had confirmed by May that a breach had taken place.
Cathay Pacific chief executive Rupert Hogg said “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cyber security firm, and to further strengthen our IT security measures.”
This is the second hack of a high-profile airline in recent months. In September, British Airways announced that it had been hacked and that 380,000 sets of payment information were stolen. The company launched an investigation and notified police of the incident.
Customers of Cathay Pacific Airways concerned about the breach were advised to visit a dedicated website for the hack.