Cathay Pacific has confirmed a data breach that exposed the personal information of up to 9.4 million people.
The incident, which occurred last month, involved unauthorized access to a passenger database containing names, nationalities, dates of birth, phone numbers, email addresses, postal addresses, passport numbers, national ID numbers, frequent-flyer membership details, customer service notes and historic travel records. The airline noted that the specific data elements accessed differed between individuals.
Cathay Pacific reported the breach to Hong Kong police and is notifying other relevant authorities. The company stated that, to date, it has found no evidence of personal information being misused. Nevertheless, roughly 400 expired credit card numbers and 27 credit card numbers without CVV data were visible in the compromised files.
Rupert Hogg, CEO of Cathay Pacific, issued a statement apologizing for the incident: “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.”
The airline is in the process of contacting affected customers through multiple channels and providing guidance on steps they can take to protect themselves. Cathay Pacific emphasized it has no evidence that anyone’s data has been misused, that no travel or loyalty profiles were fully accessed, and that no passwords were compromised.
Customers who receive notifications from the airline should follow the recommended precautions, such as monitoring financial statements, enabling alerts on bank and card accounts, and watching for suspicious emails or calls. Individuals concerned about potential identity theft may consider placing fraud alerts with their local credit agencies and reviewing account activity regularly.
Cathay Pacific has said it is reviewing and strengthening its IT security controls and working with cybersecurity specialists to complete a full investigation into how the breach occurred and to prevent further incidents. Affected passengers will continue to be updated as the inquiry progresses.