On late Wednesday night, Cathay Pacific and subsidiary Hong Kong Dragon Airlines released a statement noting the personal data of 9.4 million passengers leaked earlier of this year. The flagship carrier of the city revealed they found out unauthorized access to some passenger's data they managed and its entire owned subsidiary, operating under the Cathay Dragon brand.
According to the South China Morning Post, the compromised data were: passengers' names, date of birth, physical addresses, nationalities, emails, telephone numbers, identity card numbers, passport numbers, frequent flier programme membership numbers, and travel history, and customer service remarks. Moreover, approximately 245,000 Hong Kong identity card numbers and 860,000 passport numbers had unauthorized access.
The airline also said 27 credit card numbers without verification card number and 403 expired credit card numbers were accessed - though no passwords have been compromised. As per the statement, the company hasn't seen evidence indicating personal information has been used elsewhere.
Suspicious activities were detected back in March, prompting the airline to start investigations along with a cybersecurity firm. The unauthorized access to the data was then confirmed earlier in May, a spokesman for the Cathay Pacific said the data accessed for each affected passenger varies. The affected information systems were separate from flight operations systems - so there's no impact on flight safety. The company said they would contact the compromised passengers, Hong Kong police, and relevant authorities.
The president of the Hong Kong Information Technology Federation, Francis Fong Po-kiu, urged the carrier to immediately contact the affected clients as the breach was discovered seven months ago. He believed that Cathay Pacific should clarify their clients whether their data had been encrypted or not.
"The breach of this personal data could cause a lot of trouble because it can be used to build up people's virtual ID," Fong said.
Charles Mok, an IT sector lawmaker, considered this leak as a "serious breach of personal data." He questioned why the company disclosed it so late, where they already found suspicious activities several months ago. He also said the company did not immediately notify the passengers, as well as foreign and local privacy watchdogs - which is "unacceptable."
Hong Kong's Office of the Privacy Commissioner for Personal Data's spokesman expressed its concern regarding the breach, and now planning to contact the company for a compliance check. In the new General Data Protection Regulation of the European Union, such a breach should be reported within 72 hours.
