The city’s flagship carrier said it had discovered unauthorised access to some of the passenger data it managed and that of its wholly owned subsidiary, which operates under the Cathay Dragon brand.
The compromised data included passengers’ names, nationalities, dates of birth, telephone numbers, emails, physical addresses, passport numbers, identity card numbers, frequent flier programme membership numbers, customer service remarks and travel history.
In addition, about 860,000 passport numbers and 245,000 Hong Kong identity card numbers were accessed without authorisation.
The airlines said 403 expired credit card numbers and 27 credit card numbers with no card verification value were also accessed. No passwords were compromised.
“The company has no evidence that any personal information has been misused,” the statement said.
The suspicious activity was detected in March and the airlines started an investigation with the help of a cybersecurity firm, it added. The information system security measures were then strengthened.
Unauthorised access to the data was confirmed in early May. A Cathay Pacific spokesman said that the combination of data accessed varied for each affected passenger.
The company said it was contacting affected passengers and had informed Hong Kong police as well as relevant authorities.
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, urged the carrier to notify affected clients as soon as possible, pointing out the breach was discovered seven months ago.
Fong believed it necessary for Cathay Pacific to clarify whether the clients’ data had been encrypted or not, since the carrier’s statement did not address this point. “The breach of this personal data could cause a lot of trouble because it can be used to build up people’s virtual ID,” he added.
The carrier said that the affected information systems were separate from flight operations systems and that there had been no impact on flight safety.
IT sector lawmaker Charles Mok described the leak as a serious breach of personal data, noting that the airlines’ customers came from all over the world. He questioned the timing of the announcement.
“Why was it disclosed so late, months after the leak was found?” he asked. “They also didn’t immediately alert the affected passengers or local and foreign privacy watchdogs, which is unacceptable.”
Mok noted that the European Union’s new General Data Protection Regulation requires such breaches to be reported within 72 hours.
A spokesman for Hong Kong’s Office of the Privacy Commissioner for Personal Data on Wednesday said it had learned about the breach and expressed its concern. It planned to contact the company and launch a compliance check.
Last month, British Airways said the personal and financial details of customers making bookings between August 21 and September 5 were stolen in a data breach involving 380,000 bank cards.
The personal and financial details of customers making bookings on its website and app were compromised, it said.