Huge breach affects 9 million Cathay Pacific customers

Huge breach affects 9 million Cathay Pacific customers

Airlines aren’t having a good time of things at the moment. Even if you managed to dodge the recent British Airways fallout, you may well be caught up in the latest breach affecting no fewer than 9 million customers of Cathay Pacific.

So what was taken? The impact this time around isn’t so much where payment information is concerned, as the 403 credit card numbers the hackers grabbed had all expired, and the 27 live ones had no CVV stored. It isn’t even passwords, as the airline claims none of those were grabbed. The issue is that the hackers took 860,000 passport numbers, 240 Hong Kong identity cards, and all personal data that goes with it.

What Personally Identifiable Information (PII) was compromised?

Here’s what the criminals ran away with in the Cathay Pacific breach: PII. Namely: nationality, date of birth, name, address, email, telephone numbers, frequent flyer membership numbers, customer service remarks, and “historical travel information.” The data accessed from passenger to passenger varies, so there’ll be some with almost nothing to worry about and others wondering how they drew several short straws simultaneously.

If you’re wondering why breachers continue to steal PII, this data is incredibly useful for anybody planning a targeted attack, be it phishing, social engineering, or plain old convincing malware. Some of the scams could easily become real-world issues, as opposed staying firmly behind the computer screen.

At this point, we’d typically advise anyone affected by the breach to be extremely cautious of any missive sent their way from those claiming to be Cathay Pacific. Don’t hand over payment information to random phone callers, avoid clickable links in emails persuading you that your password has expired, and so on.

There’s only one slight problem with this: the breach apparently took place in March 2018, or at least that’s when they discovered a breach had taken place. It then took until May for them to confirm data had been accessed without permission.

As a result, it may not be much use at this point to say “Watch out for this” when it’s already happened. If the airline is correct in its thinking that no data has been abused yet, then what you can do is visit the website set up in the wake of the breach (called a “Data security event”) and use the relevant link for US and non-US customers to get things moving.

Note that Cathay Pacific points out they’ll never ask for personal/financial information related to this breach, and they also list a sole email point of contact for any further communications. Should you receive a note from an address other than the one mentioned, you can safely ignore it.

To ease the fears of worried customers, Cathay Pacific are offering ID monitoring services. And if you’re not sure if you’ve been affected, you can send them a message and they’ll get back to you.

Airlines are increasingly coming under attack from individuals with an eye for large pots of valuable customer data, and even their apps are considered fair game. Whether large fines or other consequences for Cathay Pacific emerge remains to be seen, but taking to the skies is anxiety-filled enough without having to worry about the safety of your data back on terra firma. One would hope this is the last major airline breach we’ll see for a while, but on the evidence we’ve seen so far, they’ll be a prime slice of hacker real estate for some time to come.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.