Cathay Pacific Hit With Class Action Lawsuit Over Data Breach


Cathay Pacific announced on Wednesday last week (read more here) that it had learned back in MARCH that someone had breached it systems and stolen variety information of 9.4 million passengers including names, passport information, email addresses, historical travel data and small number of credit card data.

SPG Law Cathay Pacific U

Cathay Pacific later has been contacting affected passengers (read more here) and thieves have already used this information (read more here) trying to get people to click on links that pretend they come from Cathay or one of their partners.

Now, Cathay Pacific is facing legal challenges due to this breach from European law firm that is representing more than 200 passengers mainly from China and Hong Kong. You can access the SPG Law compensation website here (just file your claim!).

SPG Law Cathay Pacific 2

Here’s an excerpt from the SCMP ( access their piece here):

Following a police search for evidence at Cathay Pacific’s headquarters in Chek Lap Kok on Monday, the Post learned that about 200 customers had expressed their intention to make a claim against the airline.

The law firm set up a compensation website on October 25 after Cathay Pacific disclosed that data from 9.4 million passengers had been leaked, including names, passport numbers, ID numbers, travel history and credit card numbers.

The group action planned in Britain would be restricted to European Union residents. On the website, the firm said the claimants had a right to compensation from Cathay Pacific for the data leak under Article 82 of the European Union General Data Protection Regulation (GDPR).

For other claimants, like those in Hong Kong and mainland China, Goodhead said the firm would file separately in the Netherlands, which “provides a mechanism [by which a] stichting, or a foundation, can represent claimants worldwide on a class action basis”.


All affected in this Cathay Pacific breach should head over to SPG Law’s micro site dedicated to this major breach and file their information. I don’t believe that companies will take information security seriously unless they start paying some serious amount of money as a compensation.

It is interesting to see how this will play out. The European Union GDPR legislation requires companies inform affected customers within 72-hours and Cathay took SEVEN MONTHS. At least Cathay’s customers in European Union should be protected under this legislation.

Cathay Pacific should have promptly informed affected passengers and not sit on this for such a long time hoping that the problem will simply go away.