Cathay Pacific has confirmed that over 9.4 million of its passengers have had their personal information, which includes passport details and credit card numbers with no card verification value (CVV), compromised in a data breach. The airline told its Twitter followers, "We have discovered unauthorized access to some of our passenger data."
Cathay Pacific Airways Limited, the flag carrier of Hong Kong, with has its head office and main hub at Hong Kong International Airport, is an award-winning carrier that has been awarded "World's Best Airline" four times.
"Passengers that travel with Cathay should assume their personal information has already been stolen many times over," Sam Curry, chief security officer at Cybereason, said. The airline has recommended that concerned customers contact @cxinfosec via Twitter direct message for data security support. It also announced that it would be contacting its Marco Polo Club and Asia Miles users "in the coming days."
A dedicated site has been set up here to provide updates. Cathay Pacific has advised customers to follow the steps outlined on the page to protect themselves against potential risks.
Cathay Pacific CEO, Rupert Hogg, has said that "we acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures." He added that none of the passwords had been compromised during the breach. Reports state, however, that approximately 860,000 passport numbers were compromised, as well as credit card numbers, email addresses and Hong Kong identity card numbers.
Customers have expressed concerns that Cathay took so long to report on the extent of the breach since it was aware of suspicious activity back in March and the loss of personal information was reportedly confirmed in May. In response to complaints, the company has tweeted that "we believe it is important to have accurate information to share so that people know the facts and we can support them accordingly."
Ted McKendall, CTO of Trusted Knight, says the breach is a disaster that is far more serious than the British Airways leak last month. "There are no details of how the breach was executed yet," McKendall says "but I can only assume that the extreme delay between identifying the breach and notifying customers is because the airline was trying to patch its systems first."
On Thursday, shares of Cathay Pacific dropped nearly seven percent to a nine-year low after the extent of the breach was revealed. "People are concerned about why it took so long for them to make an announcement," said Linus Yip, chief strategist at First Shanghai Securities. "The market demands more details and explanation."
"We expect its share price to remain jittery in the near term," BOCOM International's Geoffrey Cheng said. "We will revisit our earnings forecasts and review our rating for CPA soon."
The data breach has been revealed as the airline is carrying out an overhaul designed to lower costs and increase revenue, after several continuous years of losses. Cathay hopes the improvement will allow the carrier to compete against rivals from the Middle East, mainland China and low-cost airlines. In August, Cathay Pacific posted a narrower half-year loss after an increase in airfares and cargo rates and also forecast a healthier second half despite economic headwinds from growing US-China trade conflicts.