Millions of passengers hit in worst ever airline data hack

Cathay Pacific Airways said a hacker accessed a combination of name and either phone number or email for 9.4M customers.

Tail fins of Cathay Pacific Airways Ltd. aircraft, center and right, are seen at Hong Kong International Airport in Hong Kong, China, on Saturday, March 11, 2018. (Photographer: Anthony Kwan/Bloomberg)

Cathay Pacific Airways Ltd. said a hacker accessed personal information of 9.4 million customers, becoming the target of the world’s biggest airline data breach.

No evidence info has been misused

The airline’s shares sank the most in almost two years, shaving $201 million off its market value, after the Hong Kong-based carrier disclosed the unauthorized access late Wednesday, seven months after discovering the violation. While passports, addresses and emails were exposed, flight safety wasn’t compromised and there was no evidence any information has been misused, it said, without revealing details of the origin of the attack.

Related: Yahoo to pay $85M to settle consumer data breach class actions

“This is quite shocking,” said Shukor Yusof, founder of aviation consulting firm Endau Analytics in Malaysia. “It’s probably the biggest breach of information in the aviation sector.”

Affecting more people than the population of Cathay Pacific’s home base of Hong Kong, the hack is in another league to breaches reported by British Airways Plc and Delta Air Lines Inc. this year. Those carriers boosted spending on cybersecurity after hacks, which saw personal and financial information of hundreds of thousands of customers illegally accessed.

“At this point, we believe it is uncertain if Cathay Pacific would be liable to any fines imposed by government authorities for such a breach,” Geoffrey Cheng, an analyst at Bocom International Holdings Co., wrote in a research note Thursday. “However, we expect the share price jitters to linger on for a while.”

Related: Three keys to handling cyber claims

The data breach at Cathay — a partner of British Airways in the Oneworld airline alliance — adds to the carrier’s woes, with Chief Executive Officer Rupert Hogg trying to turn it around after two straight annual losses.

“I’m truly sorry for the concern this may have caused you,” Hogg said, addressing customers in a video posted to the carrier’s website.

Free ID monitoring to those who request it

For the majority of people affected, the hackers accessed a combination of passenger name, and either phone number or email, Hogg said. No one’s travel, Asia Miles or Marco Polo Club loyalty program profiles were accessed in full, and no passwords were compromised, he said. Cathay Pacific is notifying affected passengers, and will provide free ID monitoring to those who request it, he said.

“Upon discovery, we acted immediately to contain the event and to thoroughly investigate,” Hogg said. “We engaged one of the world’s leading cybersecurity firms to assist us, and we further strengthened our IT security systems too.”

Shares of Cathay Pacific tumbled 3.8% in Hong Kong on Thursday, the biggest loss since January 2017.

What got exposed?

Names, nationalities, dates of birth, telephone numbers, email, physical addresses, numbers for passports, identity cards and frequent-flier programs, and historical travel information. 403 expired credit card numbers 27 credit numbers with no CVV, or a security code About 860,000 passport numbers 245,000 Hong Kong IDs

Hong Kong’s privacy commissioner expressed serious concern over the leak and said the office will initiate a compliance check with the airline. A dedicated website, infosecurity.cathaypacific.com, provides information about the event and what affected passengers should do next.

Cathay Pacific @cathaypacific We have discovered unauthorised access to some of our passenger data. For Data Security Event support, please DM @CxInfosec for assistance.

Sent via Twitter for iPhone.

Criticism for taking too long to reveal breach

Some local lawmakers criticized Cathay for taking so long to reveal the breach. Lam Cheuk-ting, a member of the Legislative Council’s security committee, told reporters that many people in Hong Kong are angry and the airline should’ve taken the initiative the very first day it found out. Cathay’s Chief Customer and Commercial Officer Paul Loo said the airline wanted to have accurate grasp on the situation and didn’t wish to “create unnecessary panic,” AFP reported.

Upon discovery, Cathay said it took immediate action to contain the event and started a “thorough” probe with the assistance of a cybersecurity firm and bolstered its network security.

British Airways said the hack on its system lasted for more than two weeks during the months of August and September, compromising credit-card data of some 380,000 customers. Delta said in April that cyberattack on a contractor last year exposed the payment information of “several hundred thousand customers.”

Cathay is in the midst of a three-year transformation program, as part of which Hogg has reduced jobs starting with the carrier’s head office in Hong Kong to cut costs and introduced better business-class services on long-haul flights to help lure premium passengers.

Related: 4 steps to recovering from a cyber event