Cathay Pacific admits to data compromise of 9.4 million passengers - eight months ago

Passport numbers and identity card details also compromised in the March 2018 airline hack

Hong Kong airline Cathay Pacific has admitted a security breach in March 2018 that compromised the personal details of 9.4 million passengers.

Data accessed by the hackers included credit card, passport details, dates of birth, email addresses, mailing address, identify card numbers, historical travel information and even customer service details.

The latter implies that the company's customer relationship management (CRM) system may well have been one of the systems accessed by the attackers. Cathay implemented Salesforce in 2014. Indeed, Cathay deploys a wide range of CRM tools "to build a direct and long-term relationship with selected customers".

The details released are the most valuable type of personally identifiable information

The news was released late last night, although hasn't been published on the company's UK website. "As part of its ongoing IT security processes [Cathay Pacific] has discovered unauthorised access to some of its information systems containing passenger data of up to 9.4 million people.

"Upon discovery, the company took immediate action to investigate and contain the event. The company has no evidence that any personal information has been misused..."

Cathay Pacific CEO Rupert Hogg apologised and added, despite the hack occurring in March 2018, that the company had "acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cyber security firm, and to further strengthen our IT security measures".

Affected customers would be advised to change passwords to sensitive accounts as soon as possible and keep an eye out for any unusual email traffic or financial activity

He added that the company is in the process of contacting affected passengers and would provide "information on steps they can take to protect themselves", adding that "no passwords were compromised".

However, Tim Helming, director of product management at Domain Tools, pointed out that the personal information that had been divulged is among the most valuable for identity thieves.

"This amount of personal data being breached will undoubtedly make a contribution to further cybercrime in the future," he told Computing.

He continued: "The details released are the most valuable type of personally identifiable information: more than enough for cybercriminals to target victims via spear phishing ransom campaigns, or to simply steal identities for financial gain.

"The affected customers would be advised to change passwords to sensitive accounts as soon as possible and keep an eye out for any unusual email traffic or financial activity. This type of breach is wearyingly common; companies simply need to do better when protecting our data."

From the Cathay Pacific statement, though, the full extent of the breach remains unclear, with the company admitting that 27 credit card numbers had been access, but not their corresponding CVV numbers. "The combination of data accessed varies for each affected passenger," the company's statement concluded.

For Cathay Pacific, which flies from a number of UK airports, the date of the breach before the implementation of the Global Data Protection Regulation (GDPR) means that the potential for fines will be limited to just £500,000, with a 20 per cent discount for early payment.

IT security failings are, increasingly, costing CISOs, CIOs and CEOs their jobs.

With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security.

For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.