HONG KONG - Shares of Cathay Pacific Airways slid nearly 7 percent to a nine-year low on Thursday after it said data of about 9.4 million passengers of Cathay and its unit, Hong Kong Dragon Airlines Ltd, had been accessed without authorisation.
Cathay said late on Wednesday that in addition to 860 000 passport numbers and about 245 000 Hong Kong identity card numbers, the hackers accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).
Hong Kong privacy commission expresses serious concern over Cathay data leak
The company said it initially discovered suspicious activity on its network in March 2018 and investigations in early May confirmed that certain personal data had been accessed.
Hong Kong’s privacy commission on Thursday expressed serious concern over the data breach and urged the airline to notify passengers affected by the leak as soon as possible and explain details immediately.
“People are concerned about why it took so long for them to make an announcement,” said Linus Yip, chief strategist in First Shanghai Securities.
“The market demands more details and explanation.”
It was not immediately clear who was behind the data breach or what the information might be used for.
Cathay said the Hong Kong Police had been notified about the breach and that there was no evidence that any personal information had been misused.
The data breach comes as the airline is undergoing a turnaround designed to cut costs and increase revenue, after back-to-back years of losses, to allow it to better compete against rivals from the Middle East, mainland China and budget airlines.
In August, Cathay Pacific posted a narrower half-year loss on a strong rise in airfares and cargo rates and flagged expectations for a better second half despite economic headwinds from mounting US-China trade tensions.
The hack also comes more than a month after British Airways apologised over the theft of credit card details of hundreds of thousands of its customers over a two-week period in an attack on its website and app.Reuters