The data stolen supposedly included names, nationalities; birth dates, phone numbers, addresses, passport and identity card numbers and expired credit card numbers, among other information. It said no passwords were compromised. It was contacting customers to advise them on how to protect themselves.
While undergoing periodic security processes, the breach was discovered, stated the airline.
Hong Kong’s privacy commissioner Stephen Kai-yi Wong, expressed “serious concern” over the lapse and urged companies to improve protection personal data. A compliance check of the airline would be initiated, while he urged people to change their passwords and enable two-factor authentication.
Cathay Pacific’s shares dropped 6.5% early Thursday when the incident was reported, and 5.1% later that day.
David Emm, principal security researcher at Kaspersky Lab UK says, “This is now the fourth airline to announce that they have suffered a data breach this year, following data leaks at Delta Airlines, Air Canada and, more recently, British Airways. Customers that entrust private information to the care of any online provider, including airlines, should be safe in the knowledge that their data is being kept in a secure manner. Cathay Pacific is an established and trusted airline provider, and this morning’s news that the personal data of 9.4 million passengers has been leaked suggests that the security solutions in place weren’t strong enough. However, it’s good to see that Cathay Pacific has taken the necessary precautions of informing its customers in response to this breach.
“Whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures that businesses can take in order to provide thorough protection.
“These measures include running fully updated software, performing regular security audits on their website code and penetration testing their infrastructure. It’s crucial that businesses ensure that all passwords are protected using secure hashing and salting algorithms and the best way for an organisation to combat cyberattacks is to put in place an effective cybersecurity strategy before they become a target.
“Consumers may soon lose the trust of airlines if breaches keep occurring, so it is vital that airline organisations ensure that they have efficient solutions in place.”