Cathay Pacific Airlines have suffered a major data breach where personal information of around 9.4 million passengers have been stolen.
The company has confirmed on Wednesday that they have discovered unauthorized access to the IT systems which contains sensitive personal information of both its customers and of its business unit Hong Kong Dragon Airlines.
The personal data that has been affected include details such as passenger name, nationality, date of birth, phone number, email, address, passport number, Hong Kong identity card number, frequent flyer program membership number, customer service remarks and historic travel information.
But only 403 expired credit card numbers and 27 credit card numbers with no CVV were exposed in the breach.
Details on how this incident had occurred is still not known, but the airline says that there is no evidence of data being misused.
According to Rupert Hogg, CEO, the company has acted immediately to contain the event and have performed a thorough investigation with the assistance of a leading cybersecurity firm to further strengthen their IT security measures.
The company is in the process of contacting affected passengers, using multiple communications channels, and providing them with details on the measures they have to take to protect themselves. The customer’s travel or loyalty profile was not accessed in full, and no passwords were compromised.
There are reports suggesting that the firm has found the suspicious activity in March 2018, and confirmed it in May, meaning that the company has failed to inform their customers for over five months.
The incident does not fall under the GDPR even if the data of EU citizens were compromised.
Hong Kong privacy commissioner explained in April that businesses in the Chinese SAR should prepare for the legislation.
Steve Malone, director of security product management at Mimecast reports that once personal information has been compromised, cyber-criminals can implement highly targeted spear phishing and social engineering attacks, through impersonation emails against friends or business contacts. He also added that impersonation attacks are the easiest method for criminals to steal money and data.
The customers who have been intimated about the data breach must change their passwords at the earliest as a precautionary method and also their employer’s IT security teams to help look out for attacks misusing their personal information.