Update On The Massive Cathay Pacific Data Breach Affecting 9.4 Million Passengers – Customers Finally Notified!

Cathay Pacific has finally gotten around to actually notify customer about a massive data breach it had discovered in MARCH of this year yet didn’t tell anyone about it.

The company has sent out emails to affected customers explaining which information has been accessed and offering free privacy monitoring service where available.

John wrote about the data breach a couple days ago (access here) and the airline has been everything but forthcoming about the incident given that it already happened in march and by now were more than half a year later into this situation.

The following email from Cathay Pacific arrived yesterday afternoon:

Dear Mr/Mrs,

We are contacting you to make you aware of a data security event that involves some of your personal data. We are very sorry for any concern that this event may cause you, and this notice will provide you with information about what happened and how we can assist you.

What Happened?

As part of our ongoing IT security processes, we discovered unauthorised access to some of our passenger data.

We initially discovered suspicious activity on our network in March this year. Upon discovery, we took immediate action to contain the event, to commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures. Unauthorised access to certain personal data was confirmed in early May. Since that time, analysis of the data has continued in order to identify affected individuals and to determine whether the data at issue could be reconstructed.

We have no evidence that any personal data has been misused. We recommend that you follow the steps outlined in this notice to help protect yourself against potential risks.

What information was involved?

These specific types of personal data about you were accessed:

– HKID Number / Name / Title

Your travel or loyalty profile was not accessed in full, and your password was not compromised.

What are we doing to help?

You can find more information at our dedicated website, infosecurity.cathaypacific.com.

Where available in your country, we are offering ID monitoring services to affected passengers. This will be provided by Experian, a global data and information service provider. This service (IdentityWorks Global Internet Surveillance) monitors if your personal data may be available on public websites, chat rooms, blogs, and non-public places on the internet where data can be compromised such as dark web sites.

This is an optional service, and how much information to include in the identity monitoring is completely at your discretion.

The information you provide to Experian will only be used by Experian for the sole purposes of identity monitoring. It will not be published to any other entity.

Please visit the following website: https://www.globalidworks.com/identity1 and click the Get Started button to activate this 12 month complimentary service. You can then enter your personalized activation code: XXXXXXXX to start your IdentityWorks Global Internet Surveillance.

The ID Monitoring Services are available in Australia, Brazil, Canada, France, Germany, Hong Kong, India, Ireland, Italy, Mexico, Netherlands, New Zealand, Norway, Poland, Singapore, United Kingdom and United States.

The Activation Code for the ID Monitoring Services will expire on 30 April 2019.

We have notified, or are notifying, the relevant authorities and the Hong Kong Police.

I would have expected a bit of an explanation why nobody cares to inform customers about the time lapse between March and late October 2018, respectively why nobody cared until now. The company was surprisingly (or not) tight lipped about this.

Of course there is no compensation either for those passengers who are affected by this. Just the typical “Sorry but not sorry” from the company that fouled up.


Whenever one of these big companies had a data breach in recent time they then offered this privacy monitoring service for which in many cases they don’t even pay for. These services are given to them by the company such as Experian free of charge and then Experian hopes customers will extend the service for a fee following the free period.

I stopped a long time ago keeping extensive customer service profiles with stored credit card data etc even though the recent British Airways data breach showed that even individual transactions were affected by it as well.