View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 24, 2018updated 25 Oct 2018 12:28pm

Cathay Pacific Hack: 9.4 Million Affected

Passport numbers; names, dates of birth; phone numbers; emails; addresses; identity card number and more all stolen

By CBR Staff Writer

Hong Kong-based airline Cathay Pacific has been hit by a mammoth data leak that has exposed the details, including passport numbers, of a staggering 9.4 million people.

The airline has taken seven months to reveal the breach.

Cathay Pacific said today that the stolen data includes “passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number… historical travel information” and more.

There was little sign that the company was making efforts to notify passengers, e.g. through social media, with its Facebook page (which has 1.9 million likes) last updated on October 8 with a post about “Guide Dogs Week”.

See also: Magecart Stockpiling Magento Extension 0days: Is Your Business at Risk?

The airline, which carries some 34 million passengers annually to 200 destinations, said that it had discovered the “unauthorised access”  to its information systems as part of its “ongoing IT security processes”.

The suspicious activity was discovered in March, and the loss of personal information was confirmed in May, the airline told Reuters.

The FT reports Cathay Pacific has contracted consultants from Mandiant, part of FireEye, to conduct a forensic investigation into the breach.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

cathay pacific hack

Cathay Pacific Hack: CEO “Very Sorry”

Cathay Pacific Chief Executive Officer Rupert Hogg said in a statement Wednesday: “We are very sorry for any concern this data security event may cause our passengers.”

He added: “We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.”

Reuters reports citing Cathay sources that 403 “expired credit card numbers” and 27 credit card numbers with no card verification value (CVV) were accessed – in contrast to a recent hack of British Airways, which resulted in the theft of 380,000 customers’ payment details, as reported by Computer Business Review.

Read this: BA Hack: Precise Script, Threat Group Identified

Ted McKendall, CTO of Trusted Knight said in an emailed statement: “There are no details of how the breach was executed yet, but I can only assume that the extreme delay between identifying the breach and notifying customers is because the airline was trying to patch its systems first.”

He added: “While the airline has been quick to assure customers that only a small amount of financial information has been leaked, the data that has been leaked is more than unsettling. The passport information of passengers on the dark web will have an extremely high price tag. Much of this information – names, dates of birth, email and physical addresses – could be used to conduct further attacks against passenger’s other accounts as often these details are enough to bypass security.”


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.