Hong Kong based international airline, Cathay Pacific, that serves flights around the world announced a data breach which exposed the personal information of 9.4 million of its passengers.
This breach is the latest in a string of recent data breaches to affect the aviation industry including British Airways, Air Canada and Delta Airlines which all experienced data security incidents this year.
Cathay Pacific has acknowledged that a broad range of passengers’ personal information was accessed without authorisation in March 2018, including passport numbers, names, nationalities, dates of birth, ID numbers, telephone numbers, travel history, expired credit card numbers, physical addresses and email addresses.
Chief executive, Rupert Hogg, said:
“We are very sorry for any concern this data security event may cause our passengers.”
The airline initially discovered suspicious activity on its network in March this year. After investigations, in May it was established that its systems were accessed without authorisation and that passengers’ personal data has been accessed and placed at risk.
In a statement yesterday, Cathay Pacific said:
“The company has no evidence that any personal information has been misused. The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety.”
It took the airline over six months from the time the breach occurred to announce it publicly. The company has a presence in Europe so the GDPR, which requires companies to inform data subjects of any breach affecting their personal information within 72 hours of discovery of a breach, may cause Cathay Pacific some additional difficulty. However, such actions are not required in Hong Kong.
The airline’s absence of urgency in informing affected passengers of the data breach has angered Hong Kong’s privacy commissioner, Stephen Wong, and he is considering tightening the rules so that similar incidents would be made public in a timely manner.
Cathay Pacific has notified the Hong Kong Police and other relevant authorities and is contacting customers who may have been affected by this breach.