Millions of Cathay passengers hit in worst airline data hack

Hong Kong

CATHAY Pacific Airways Ltd became the target of the world's biggest airline data breach after a hacker accessed credit card, passport and personal details of some 9.4 million customers.

The airline's shares slumped to the lowest intraday level in nine years, shaving as much as US$361 million off its market value, after the Hong Kong-based carrier said it discovered suspicious activity on its network in March and confirmed the unauthorised access in May.

Flight safety wasn't compromised and there was no evidence any information has been misused, it added, without disclosing details of the origin of the attack.

"This is quite shocking," said Shukor Yusof, founder of aviation consulting firm Endau Analytics in Malaysia. "It's probably the biggest breach of information in the aviation sector."

Impacting more people than the population of Cathay Pacific's home base of Hong Kong, the hack is in another league to breaches reported by British Airways plc (BA) and Delta Air Lines Inc this year.

Those carriers boosted spending on cybersecurity after hacks, which saw personal and financial information of hundreds of thousands of customers illegally accessed.

"At this point, we believe it is uncertain if Cathay Pacific would be liable to any fines imposed by government authorities for such a breach," Geoffrey Cheng, an analyst at Bocom International Holdings Co, wrote in a research note on Thursday. "However, we expect the share-price jitters to linger on for a while."

The data breach at Cathay - a partner of BA in the Oneworld airline alliance - adds to the carrier's woes, with chief executive officer Rupert Hogg trying to turn it around after two straight annual losses.

"We are very sorry for any concern this data security event may cause our passengers," Mr Hogg said in a statement on the carrier's website. "We are in the process of contacting affected passengers, using multiple communication channels, and providing them with information on steps they can take to protect themselves."

Shares of Cathay Pacific tumbled as much as 6.8 per cent to their lowest intraday level since June 2009.

What got exposed?

Hong Kong's privacy commissioner expressed serious concern over the leak and said the office will initiate a compliance check with the airline.

A dedicated website, infosecurity.cathaypacific.com, provides information about the event and what affected passengers should do next.

Some local lawmakers criticised Cathay for taking seven months to reveal the breach. Lam Cheuk-ting, a member of the Legislative Council's security committee, told reporters that many people in Hong Kong are angry and the airline should've taken the initiative the very first day it found out.

Cathay's chief customer and commercial officer Paul Loo said the airline wanted to have accurate grasp on the situation and didn't wish to "create unnecessary panic," AFP reported.

Upon discovery, Cathay said it took immediate action to contain the event and started a "thorough" probe with the assistance of a cybersecurity firm and bolstered its network security.

BA said the hack on its system lasted for more than two weeks during the months of August and September, compromising credit-card data of some 380,000 customers. Delta said in April that cyber attack on a contractor last year exposed the payment information of "several hundred thousand customers".

Mr Hogg has reduced jobs starting with the carrier's head office in Hong Kong to cut costs and introduced better business-class services on long-haul flights to help lure premium passengers. BLOOMBERG