Millions of passengers hit in worst ever airline data hack
(Bloomberg) --Cathay Pacific Airways Ltd. said a hacker accessed personal information of 9.4 million customers, becoming the target of the world’s biggest airline data breach.
The airline’s shares sank the most in almost two years, shaving $201 million off its market value, after the Hong Kong-based carrier disclosed the unauthorized access late Wednesday, seven months after discovering the violation. While passports, addresses and emails were exposed, flight safety wasn’t compromised and there was no evidence any information has been misused, it said, without revealing details of the origin of the attack.
“This is quite shocking,” said Shukor Yusof, founder of aviation consulting firm Endau Analytics in Malaysia. “It’s probably the biggest breach of information in the aviation sector.”
Impacting more people than the population of Cathay Pacific’s home base of Hong Kong, the hack is in another league to breaches reported by British Airways Plc and Delta Air Lines Inc. this year. Those carriers boosted spending on cyber security after hacks, which saw personal and financial information of hundreds of thousands of customers illegally accessed.
“At this point, we believe it is uncertain if Cathay Pacific would be liable to any fines imposed by government authorities for such a breach,” Geoffrey Cheng, an analyst at Bocom International Holdings Co., wrote in a research note Thursday. “However, we expect the share price jitters to linger on for a while.”
The data breach at Cathay -- a partner of British Airways in the Oneworld airline alliance -- adds to the carrier’s woes, with Chief Executive Officer Rupert Hogg trying to turn it around after two straight annual losses.
“We are very sorry for any concern this data security event may cause our passengers,” Hogg said in a statement on the carrier’s website. “We are in the process of contacting affected passengers, using multiple communication channels, and providing them with information on steps they can take to protect themselves."
Shares of Cathay Pacific tumbled 3.8 percent in Hong Kong on Thursday, the biggest loss since January 2017.
What got exposed?
Exposed data included: Names, nationalities, dates of birth, telephone numbers, email, physical addresses, numbers for passports, identity cards and frequent-flier programs, and historical travel information. 403 expired credit card numbers 27 credit numbers with no CVV, or a security code, about 860,000 passport numbers and 245,000 Hong Kong IDs.
Hong Kong’s privacy commissioner expressed serious concern over the leak and said the office will initiate a compliance check with the airline. A dedicated website, infosecurity.cathaypacific.com, provides information about the event and what affected passengers should do next.