Cathay Pacific, the Hong Kong-based international airline, acknowledged on Wednesday that its computer system had been compromised at least seven months ago, exposing the personal data and travel histories of as many as 9.4 million people.
The breach involved private user information, including phone numbers, dates of birth, frequent flier membership numbers and passport and government ID numbers, as well as information on passengers’ past travels. The airline said that 27 credit card numbers — but not their corresponding security codes — had been obtained, as had 403 expired credit card numbers.
The company said that no passwords were compromised, and that the breach would not affect flight operations or safety. It said it learned in May that passenger data had been exposed after first discovering suspicious activity on its network in March. It did not immediately respond when asked whether it had any indication of who was responsible, and why it did not announce the breach earlier.
“The safety and security of our passengers remains our top priority,” said Rupert Hogg, the carrier’s chief executive.
As Asia’s economic might has grown over the past half-century, Cathay has become a major carrier in the region, one known globally for its customer service. Last year it carried nearly 35 million passengers to around 200 destinations in more than 50 countries or territories. But the security breach has come at a tough time for the company, which counts the state-backed carrier Air China as a major shareholder.
Cathay has faced growing competition in the region from low-cost carriers and other emerging rivals, and has been losing money for the past two years. Its shares fell in Hong Kong trading on Thursday.
Airlines are juicy targets for hackers, with their vast stores of information not only on people’s identities and credit cards, but also on where they have been.
In an era when issues of data protection have come to the fore in Washington and other global capitals, the Cathay breach does not stand out for its scale. The airline said in a filing with the Hong Kong Stock Exchange that around 860,000 passport numbers and 245,000 Hong Kong identity card numbers had been exposed. By contrast, the security breach discovered by Facebook last month involved 50 million user accounts.
Still, the types of information in Cathay’s systems that were compromised could be particularly useful to malicious agents. Names, birthdays, travel itineraries and passport details could be used to reset passwords or obtain private financial information.
Last month, British Airways said that criminals had stolen data on people who booked flights on its website or app during a roughly two-week period in August and September. That security breach exposed personal and financial details, the airline said, but not travel or passport information.
Delta Air Lines said earlier this year that customer payment information had been exposed after a security breach at a company that provided online chat services for it. In that case, no customers’ passport details were compromised, Delta said.