The Hong Kong-based Cathay Pacific Airways revealed on October 24, 2018 that they had they were the victims of cyberattack in March of this year. The associated data breach led to the theft of the passenger data of upwards of 9.4 million customers. The ill-gotten data included flyer’s passport information, including names, addresses, dates of birth, and identification numbers. In addition, the cybercriminals also acquired details of where individuals have travelled, and any customer service comments tied to their accounts.
The amount of data the thieves acquired varied from passenger to passenger, so not everyone will experience the same level of compromise. For example, some passengers had payment information stolen, including “403 expired credit card numbers…and so were 27 credit card numbers with no card verification value (CVV) numbers attached.” The Verge has reached out to Cathay Pacific to ask whether any credit cards with attached CVV numbers were wrapped up in the breach.
In a statement, Cathay Pacific said that they have “no evidence that any personal information has been misused,” and that user account passwords were not included in the stolen data. They also noted that the breach did not impact any of the “flight operations systems, and there is no impact on flight safety.”
There have been other recent high-profile hacks against airlines, including Delta, British Airways, and Air Canada, with the latter, like Cathay Pacific, including passport data. However, as a security expert told The Verge, the Cathay breach included “40 times more passports than the Air Canada breach, meaning it will have a much greater impact on passengers.”
Also telling is the time span between the occurrence of the breach and the airline’s public disclosure. As an international airline, with destinations across the globe, there is a good chance this incident will come under General Data Protection Regulation (GDPR) scrutiny for the sheer amount of time between breach and disclosure. Under GDPR rules, companies that experience a breach have 72 hours from discovery to notify the public of the incident.
In the meantime, if you have flown on Cathay Pacific or one of their subsidiaries (Air Hong Kong or Cathay Dragon), you can visit infosecurity.cathaypacific.com to learn more about the incident, and what next steps you can take to protect yourself from further harm.