Hong Kong’s carrier Cathay Pacific announced that more than 9.4 million Cathay Pacific and Cathay Dragon passengers have been affected by a data breach.
The amount of data leaked varies passenger to passenger, but exposed information includes names, dates of birth, postal addresses, email addresses, identity card numbers, passport numbers, frequent-flyer numbers and credit card numbers.
“The company has no evidence that any personal information has been misused,” a statement made by the airline said. “The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety.” Additionally, account passwords have not been compromised, according to the statement.
Cathay Pacific said that it identified unauthorized activity back in March and confirmed that certain data had leaked in May after involving a cyber security team. However, it is not clear why the company waited until now to reveal this information publicly.
Although the airline is based in Hong Kong, it flies to 34 countries in Africa, Asia, North America, Oceania and Europe. In accordance with European Union’s new General Data Protection Regulation, companies must disclose data breach information to clients and law enforcement within three days of discovering it. In this case, it took the carrier about seven months to announce the breach.
Cathay Pacific has notified local police and is now working with relevant authorities, according to the statement.
Air Canada and British Airways have been recent victims of cyber attacks. Air Canada went through a mobile app data breach in August, and British Airways was hacked through its website in September. In both cases, customer data was stolen.