Yet Another Massive Data Breach Hits A Major Airline: This Time, Cathay Pacific

Filed Under: Cathay Pacific

2018 has already seen several major airlines suffering data security breaches. Recently, I’ve written about:

This is now happening monthly, and Cathay Pacific is the latest to be targeted.

Cathay Pacific

The BBC is reporting that almost 10 million Cathay Pacific passengers were affected, with a range of information stolen, including:

  • names
  • dates of birth
  • passport numbers
  • (expired) credit card details
  • email addresses

Almost one million passport numbers alone were stolen, along with almost a quarter of a million Hong Kong identity cards.

Cathay Pacific has said that no passwords were stolen, so passwords will not need to be reset like in the Air Canada incident. This information was apparently stolen back in May, but Cathay has said they did not want to notify anyone affected back then as they didn’t want to scare anyone unnecessarily as they investigated the full extent of the breach.

Rupert Hogg, Cathay’s CEO, said of the incident:

We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures. We are very sorry for any concern this data security event may cause our passengers.

Cathay Pacific is currently contacting affected passengers, presumably to reassure them their personal information will no be misused. Theft of personal information can be used in identity fraud, where a fraudster uses this stolen information to build a fake profile of someone to then use that identity for their own financial gain, such as applying for a credit card.

Cathay Pacific shares dropped 6% following news of the data breach, a nine year low.

Bottom line

These data breaches are now occurring monthly to some of the biggest airlines in the world. You would assume Air Canada, British Airways and Cathay Pacific would have industry leading information security controls.

I’m not a cyber security expert but based on the attacks of the last few months would expect them to continue.

If you think you may have been affected by the Cathay Pacific breach they have established a special website here.

Have you ever had your personal information compromised?

  1. They have always been an irresponsible arrogant uncaring company corporate wise
    Despite having nice flight attendants a good first class and a respectable business class
    Flying out of LA they turned the experience into flying out of a 3rd world country
    I’ve actually never seen anything like it in my lifetime
    Not surprised at all of their lapses in good judgement

  2. Did not want to scare unnecessarily… They got name, birthday and passport number, that is like handing out your ID to a stranger. Can’t get any worse than this. They should be on top of this, immediately notify everyone, provide years of identity theft protection, etc…

  3. just awful. the worst yet by far. 9.4 million peoples’ info breached, including 1mm passport numbers! This isn’t just email addresses and passwords…in many cases, all 3 of passport number + nationality + DOB were stolen.

    And then they sat on their hands 7 months before disclosing. Completely shameful. The worst airline data breach by far and frankly not in the same league as the other ones being talked about.

    Simply pathetic of Cathay. It’s unforgivable they didn’t tell folks for this long, especially given the nature of what was stolen.

  4. The password requirements on some airline frequent flier account logins (Miles and More, Iberia come to mind) are shockingly low – 5 or 6 digit pins, probably hinting at bigger hidden security holes in the IT systems of these programs.

  5. @Dwon Flying in America is a third world experience, what do you expect. Who ever heard of collecting your bags again before you transit domestically, fucking savages.

  6. I saw this coming a mile away with Cathay. That’s what happens when you give a autonomous region control. No oversight. It would never happen at SQ.

  7. Hong Kong’s law is very bad when it comes to data breach.
    They do very little to protect consumers and almost nothing to punish companies.

    Best to setup shady tech startup in Asia. All the greed, none of the responsibility.

  8. James, you’ve missed the most important: the breach was discovered by CX in March, confirmed in May and revealed to public only days ago. Because they “didn’t want to cause panic”.

  9. Have just been told by email 6 items of my personal info we’re exposed in this incident including DOB, passport#, mobile#. CX was telling me am offered a complimentary 12 mth service subscription service with an ID monitoring company, not sure how much I should believe in what they’re telling me given they dragged for almost 6 mths to reveal such disaster. Absolutely pathetic.

  10. Rupert Hogg and his team have deliberately delayed announcing this to the customers effected by 7 months. They have put millions of customers at high financial and security risk without any end point. They are playing down what they did and prentending they are victims. This really isn’t the case. This entire team of management should be terminated immediately. Sadly, the authorities have not taken any strong action against these offenders and they continue to remain irresponsible untouchables, who do as they please. Hope justice prevails!!!

Leave a Reply

If you'd like to participate in the discussion, please adhere to our commenting guidelines. Your email address will not be published. Required fields are marked *