Cathay Says ‘Most Intense’ Period of Data Breach Lasted Months

The world’s biggest airline data breach, affecting millions of Cathay Pacific customers, was the result of a sustained cyber attack that lasted for three months, the carrier admitted, while insisting it was on alert for further intrusions.

The Hong Kong-based firm was subjected to continuous breaches that were at their “most intense” from March to May but continued after, it said in a written submission to the city’s Legislative Council ahead of a panel hearing on Wednesday.

It also looked to explain why it took until October 24 to reveal that 9.4 million passengers had been affected, with hackers getting access to personal information including dates of birth, phone numbers and passport numbers.

Cathay said that while the number of successful attacks had diminished, it remained concerned as “new attacks could be mounted”.

“Cathay is cognisant that changes in the cybersecurity threat landscape continue to evolve at pace as the sophistication of the attackers improves,” it said.

“Our plans, which include growing our team of IT security specialists, will necessarily evolve in response to this challenging environment.”

It explained in the statement that the nature of the attacks, enormous amount of investigative work and the process to identify stolen data contributed to the length of time between initial discovery and public disclosure.

It also said it was not until October 24 that it had completed the identification of the personal data that had been accessed.

Hong Kong-listed shares in the firm were up 0.57 percent in early afternoon trade.

The city’s Privacy Commissioner for Personal Data said last week it was investigating the carrier over the hack and why it took so long to tell customers.

The airline admitted about 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed, but insisted that there was no evidence that personal data has been misused.

“No passenger’s travel or loyalty profile was accessed in full, and no passenger passwords were compromised,” it said.

The company has apologized to passengers affected and said it was helping them to protect themselves.

The troubled airline is already battling to stem major losses as it comes under pressure from lower-cost Chinese carriers and Middle East rivals.

It booked its first back-to-back annual loss in its seven-decade history in March and has previously pledged to cut 600 staff including a quarter of its management as part of its biggest overhaul in years.