Cathay Pacific

Cathay Pacific is an airline headquartered in Hong Kong, providing air transportation services to passengers. The company operates a global network, facilitating travel for a diverse international customer base. A core component of its customer offering is the Asia Miles frequent flyer program, which allows members to earn and redeem miles for travel and other benefits. The airline handles substantial volumes of sensitive personal information, including passenger names, contact details, passport and identity card numbers, and detailed travel histories. This data is integral to its operations, from booking and check-in to loyalty program management and customer service. The scope of its services encompasses the full passenger journey, requiring robust systems to manage reservations, itineraries, and personal particulars. Its market position is that of a major carrier based in a key international aviation hub, serving routes that connect Asia with the world. The organization's activities place it within a highly regulated sector where the protection of passenger data is a critical operational and compliance requirement. The nature of its business involves the continuous collection, processing, and storage of personal and financial data for millions of travelers.

The airline's operational history includes significant data security incidents that have shaped its cybersecurity posture. In 2018, unauthorized access compromised a wide array of passenger information, including passport details and historical travel records, along with a limited number of payment card details. A subsequent incident in 2025 involved the fraudulent compromise of approximately 1,000 member accounts, where attackers exploited exposed credentials and a vulnerability in secondary verification to steal Asia Miles. In response to these events, Cathay Pacific has undertaken specific remediation actions. These have included containing the incidents, launching investigations with external cybersecurity experts, notifying Hong Kong Police and relevant authorities, and establishing dedicated communication channels for affected individuals. The company has also explicitly stated that it reinforced its IT security measures and rectified the specific vulnerability identified in the 2025 incident. For impacted customers, the airline has pursued account restoration and mile reinstatement where applicable. These documented responses indicate a procedural focus on incident management, regulatory notification, and customer remediation following a security breach. The organization's handling of these events reflects an operational acknowledgment of data security risks within the aviation sector.