Hong Kong-based airline Cathay Pacific has been hit by a mammoth data leak that has exposed the details, including passport numbers, of a staggering 9.4 million people.
The airline has taken seven months to reveal the breach.
Cathay Pacific said today that the stolen data includes “passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number… historical travel information” and more.
There was little sign that the company was making efforts to notify passengers, e.g. through social media, with its Facebook page (which has 1.9 million likes) last updated on October 8 with a post about “Guide Dogs Week”.
See also: Magecart Stockpiling Magento Extension 0days: Is Your Business at Risk?
The airline, which carries some 34 million passengers annually to 200 destinations, said that it had discovered the “unauthorised access” to its information systems as part of its “ongoing IT security processes”.
The suspicious activity was discovered in March, and the loss of personal information was confirmed in May, the airline told Reuters.
The FT reports Cathay Pacific has contracted consultants from Mandiant, part of FireEye, to conduct a forensic investigation into the breach.
Cathay Pacific Hack: CEO “Very Sorry”
Cathay Pacific Chief Executive Officer Rupert Hogg said in a statement Wednesday: “We are very sorry for any concern this data security event may cause our passengers.”
He added: “We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.”
Reuters reports citing Cathay sources that 403 “expired credit card numbers” and 27 credit card numbers with no card verification value (CVV) were accessed – in contrast to a recent hack of British Airways, which resulted in the theft of 380,000 customers’ payment details, as reported by Computer Business Review.
Read this: BA Hack: Precise Script, Threat Group Identified
Ted McKendall, CTO of Trusted Knight said in an emailed statement: “There are no details of how the breach was executed yet, but I can only assume that the extreme delay between identifying the breach and notifying customers is because the airline was trying to patch its systems first.”
He added: “While the airline has been quick to assure customers that only a small amount of financial information has been leaked, the data that has been leaked is more than unsettling. The passport information of passengers on the dark web will have an extremely high price tag. Much of this information – names, dates of birth, email and physical addresses – could be used to conduct further attacks against passenger’s other accounts as often these details are enough to bypass security.”