Cyber Incident Victim: Cathay Pacific

On October 24, 2018, Cathay Pacific Airways publicly disclosed a data security event involving unauthorized access to passenger information. The airline’s Chief Executive Officer, Rupert Hogg, issued an apology for the incident while confirming immediate containment measures had been implemented. Cathay Pacific engaged a leading cybersecurity firm to conduct a thorough investigation and initiated steps to strengthen IT security systems. The compromised data included passenger names, nationalities, dates of birth, contact information (phone numbers, email addresses, physical addresses), passport numbers, identity card numbers, frequent flyer membership numbers, customer service remarks, and historical travel records. Financial data exposure involved 403 expired credit card numbers and 27 active credit card numbers without CVV security codes. The airline emphasized that no complete travel or loyalty profiles were accessed, passwords remained secure, and there was no evidence of misuse of the stolen data. The specific combination of compromised information varied across affected individuals.

Cathay Pacific initiated multi-channel communications to notify impacted passengers, directing them to a dedicated informational website (infosecurity.cathaypacific.com) that outlined the breach details and protective steps. The airline established a dedicated call center operational from October 25, 2018 (GMT+8), with toll-free numbers listed on their security portal, and provided an email contact ([email protected]) for inquiries. The Hong Kong Police and relevant regulatory authorities were formally notified about the breach. Company leadership reiterated ongoing efforts to enhance IT security protocols while emphasizing that passenger safety and data security remained organizational priorities. No technical specifics regarding the attack vector, intrusion timeline, or system vulnerabilities were disclosed in the public statement.