A Cathay Pacific Airways flight attendant poses at the airline’s booth during the Asian Aerospace Show in Hong Kong. File Picture: REUTERS/BOBBY YIP
A Cathay Pacific Airways flight attendant poses at the airline’s booth during the Asian Aerospace Show in Hong Kong. File Picture: REUTERS/BOBBY YIP

The world’s biggest airline data breach, affecting millions of Cathay Pacific customers, was the result of a sustained cyber attack that lasted for three months, the carrier admitted, while insisting it is on alert for further intrusions.

The Hong Kong-based firm was subjected to continuous breaches that were at their “most intense” from March to May but continued after, it said in a written submission to the city’s legislative council ahead of a panel hearing on Wednesday.

It also looked to explain why it took until October 24 to reveal that 9.4-million passengers had been affected, with hackers accessing personal information including dates of birth, phone numbers and passport numbers.

Cathay said while the number of successful attacks had diminished, it remained concerned as “new attacks could be mounted”.

“Cathay is cognisant that changes in the cybersecurity threat landscape continue to evolve at pace as the sophistication of the attackers improves,” it said. “Our plans, which include growing our team of IT security specialists, will necessarily evolve in response to this challenging environment.”

It explained in the statement that the nature of the attacks, the enormous amount of investigative work required and the process to identify stolen data contributed to the length of time between initial discovery and public disclosure. It also said it was not until October 24 that it had completed the identification of the personal data that had been accessed.

Hong Kong-listed shares in the firm were up 0.57% in early afternoon trade.

The city’s privacy commissioner for personal data said last week it was investigating the carrier over the hack and why it took so long to tell customers.

The airline admitted about 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit-card numbers and 27 credit-card numbers with no card verification value were accessed, but insisted that there was no evidence that personal data has been misused.

“No passenger’s travel or loyalty profile was accessed in full, and no passenger passwords were compromised,” it said.

The company has apologised to affected passengers and says it is helping them to protect themselves.

The troubled airline is already battling to stem major losses as it comes under pressure from lower-cost Chinese carriers and Middle East rivals.

It recorded its first back-to-back annual loss in its seven-decade history in March and has previously pledged to cut 600 staff, including a quarter of its management, as part of its biggest overhaul in years. — AFP