Cathay Pacific today announced it had discovered in MARCH that its information system had been breached and information of up to 9.4 million passengers stolen.
Thieves had access to passenger name, passport information, date of birth, email address, frequent flier number, historical travel information and customer service remarks. Apparently passwords were not stolen and only small number of credit card numbers.
You can access Cathay’s page for the announcement here.
Here the announcement from Cathay Pacific:
Wednesday, October 24, 2018 — Cathay Pacific announced today that as part of its ongoing IT security processes, it has discovered unauthorised access to some of its information system containing passenger data of up to 9.4 million people. Upon discovery, the company took immediate action to investigate and contain the event. The company has no evidence that any personal information has been misused. The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety.
Cathay Pacific Chief Executive Officer Rupert Hogg said, “We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.
“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”
The following personal data was accessed: passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks; and historical travel information.
In addition, 403 expired credit card numbers were accessed. Twenty-seven credit card numbers with no CVV were accessed. The combination of data accessed varies for each affected passenger.
Cathay Pacific has notified the Hong Kong Police and is notifying the relevant authorities .
Anyone who believes they may be affected can contact Cathay Pacific in the following ways:
- Via the dedicated website – infosecurity.cathaypacific.com – which provides information about the event and what to do next
- Via Cathay Pacific’s dedicated call centre available after 12:30/25OCT (GMT+8) (toll free numbers are available on infosecurity.cathaypacific.com)
- Email Cathay Pacific at firstname.lastname@example.org
Hogg added: “We want to reassure our passengers that we took and continue to take measures to enhance our IT security. The safety and security of our passengers remains our top priority.”
How could it take Cathay Pacific SEVEN months after it suspected that hack took place to inform its customers (they still haven’t sent out emails to affected customers – I must be one of them due to extensive flight activity with the airline)?
I am getting sick and tired of all these breaches taking place at large companies and their inability to safeguard any information. You would think that they had hired competent people to run their IT departments that are in the hearth of most business today?