A massive data breach at Cathay Pacific affected 9.4 million passengers and may have exposed Australian travellers

Christian Keenan/Getty.
  • Cathay Pacific announces a data breach affecting 9.4 million people.
  • The information at risk includes date of birth and passport numbers.
  • The breach occurred in march but was only announced now.

Cathay Pacific revealed that personal information of up to 9.4 million passengers — much of it useful for identity theft — was subject to a data breach seven months ago.

The data accessed in March this year: passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer program membership number; customer service remarks; and historical travel information.

The airline says it has no evidence that any personal information has been misused. The IT systems affected are separate from flight operations systems, and there is no impact on flight safety.

There were no details on how many Australian passengers affected. In Australia, Cathay flies from Sydney, Melbourne, Brisbane, Perth and Adelaide.

“We are very sorry for any concern this data security event may cause our passengers,” says Cathay Pacific Chief Executive Officer Rupert Hogg.

“We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.

“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves.

“We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”

Cathay Pacific has notified the Hong Kong Police and is notifying other “relevant authorities”.

The airline has setup a dedicated website for information about the data breach.

Business Insider has contacted the Office of the Australian Information Commissioner for comment.

In Australia, the Notifiable Data Breaches amendment introduced in February this year requires that affected parties be notified of the loss of personal data likely to result in serious harm.

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.