Cathay Pacific Airways stocks have plunged to their lowest level in nearly a decade after the airline revealed a massive data breach has affected the information of 9.4 million passengers.
Hong Kong’s flagship carrier said it had discovered unauthorised access to the personal data but had no evidence the leaked information had been misused.
Data breach documents from Hong Kong Exchanges — which operates the Hong Kong Stock Exchange — noted on Wednesday that Cathay Pacific first discovered suspicious activity on its network in March.
The documents state “unauthorised access to certain personal data was confirmed in early May 2018”.
The airline noted in a statement on Wednesday that the breach was discovered during “ongoing security processes”.
Cathay Pacific said the stolen data included names, nationalities, birth dates, phone numbers, addresses, passport and identity card numbers and expired credit card numbers, among other information.
It noted 403 expired credit card numbers were accessed, and 27 credit card numbers with no CVV were accessed.
The company said no passwords were compromised.
Privacy commissioner orders investigation
Hong Kong’s privacy commissioner, Stephen Kai-yi Wong, expressed “serious concern” over the lapse and urged companies to improve protection of personal data.
He said his office would begin a compliance check of the airline.
He urged people to change their passwords and enable “two-factor authentication” to help protect their data.
The news caused the airline’s shares to plunge 6.5 per cent in early Hong Kong trading.
The company said it was contacting customers to advise them on how to protect themselves.
“We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures,” the airline’s chief executive officer Rupert Hogg said in a statement.
“We are very sorry for any concern this data security event may cause our passengers,” he said.
In September, British Airways revealed similar hacking that exposed hundreds of thousands of customers, and Delta Airlines in the US said in April that several hundred thousand customers could have been exposed by a malware breach months earlier.