9.4 million people are at risk of identity theft after a massive data breach at Cathay Pacific

  • The 9.4 million passengers, whose private information was exposed in a data breach at Cathay Pacific, are now vulnerable to identity theft.
  • Experts say the information stolen means identities can be stolen, leaving passenger their lives in disarray.
  • The data accessed includes full name, date of birth and passport number.

A massive data breach at Cathay Pacific creates a high risk of identify theft for the 9.4 million passengers whose private information has been exposed, experts say.

Cathay Pacific has revealed that personal information of passengers — much of it useful for identity theft — was subject to a data breach seven months ago.

The data accessed in March this year: passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer program membership number; customer service remarks; and historical travel information.

There were no details on how many Australian passengers are affected. In Australia, Cathay flies from Sydney, Melbourne, Brisbane, Perth and Adelaide.

Shares in Cathay fell 7% in Hong Kong yesterday to a nine year low on the news.

“The implications of this incident will go much further than Cathay Pacific and it will be the passengers that are most badly effected, as the information stolen means their identities can be stolen and potentially leave their lives in complete disarray,” says Daniel Lai, the CEO of archTIS, a cyber security company which listed on the ASX in August.

“Cathay Pacific’s reputation is seriously damaged by this leak, particularly because of the length of time it has taken them to disclose this incident.

“Australian companies operate under tougher and more appropriate disclosure laws, with new laws in Australia making this sort of disclosure mandatory.

“Time and time again, these breaches demonstrate that traditional commercial security is not up to the task of protecting a customer’s personal information and organisation’s reputation. “

Nick Lennon, Country Manager at Mimecast, international company specialising in cloud-based email management, says the Cathay Pacific breach is concerning in terms of its scale and length of time taken to alert affected customers.

“Once personal information is compromised, cyber criminals can implement highly targeted spear-phishing and social engineering attacks, often via impersonation emails against friends or business contacts,” he says.

“These impersonation attacks are now the easiest way for criminals to steal money and valuable data.

“Notified customers should change passwords as precaution and alert their employer’s IT security teams to help look out for attacks misusing their personal information.”

Australia, in February this year, introduced new rules for data breaches, making notification of those affected mandatory.

Cathay Pacific has said it is notifying authorities.

The Office of the Australian Information Commissioner would not confirm whether it had been notified of this breach.

“In cases where we are made aware of a potential privacy incident or notifiable data breach, the OAIC may engage with the organisation involved to establish the facts of the matter,” says the Office of the Australian Information Commissioner.

“We do not generally comment about specific incidents or ongoing inquiries or investigations.”

The airline has setup a dedicated website for information about the data breach.

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.