Cathay Pacific gave 9.4 million of its passengers a little souvenir to remember their trip on the airline—a data breach. The Hong Kong-based airline has admitted that the personal details of 9.4 million passengers were inappropriately accessed, including passport information and credit card numbers. The breach happened in March and confirmed by the company in early May, but in what is increasingly a tradition for hacked companies, it was only made public on Wednesday.
In addition to passports and credit card info, personal data including names, nationalities, birth dates, phone numbers, email addresses, physical addresses, identity card numbers, frequent flyer program membership numbers, customer service remarks, and historical travel information were all accessed, according to the airline’s advisory on the breach.
Cathay Pacific claims that no passwords were compromised and that there is no evidence that all of that personal data was exposed for every affected passenger. So far, the company says it does not believe the data has been misused. Although, if it was, they may not tell us for six more months. That said, delaying announcing the breach may get Cathay Pacific in trouble with the European government, as the General Data Protection Regulation (GDPR) rules require companies to tell customers and law enforcement within three days of discovering a breach.
Those affected will be contacted with information on what types of personal data was exposed, Cathay Pacific says. If you haven’t been contacted but have flown with Cathay Pacific, you can contact them here.