Cathay Pacific says cybersecurity experts engaged to search the dark web and other sites had found no evidence the stolen details of 9.4 million customers has appeared in these criminal forums.
But it said in a submission to the Hong Kong Legislative Council it had offered passengers the option of free enrolment in an ID monitoring service and more than 50,000 had enrolled in countries where the service was available.
It said the company running the service, Experian, worked with leading companies, financial institutions and government agencies.
It believed the company’s ability to search the web, including the dark web, for evidence of unauthorized data use would be valuable to passengers.
Data accessed by the hackers included passenger name, nationality, date of birth, phone number, email address, postal address, travel document and/or passport number, identity card number, and frequent flyer membership number.
The accessed data accessed varied by affected passenger and Cathay’s analysis revealed it was limited in most cases to either passenger name and phone number or passenger name and email.
There was also “a very small number of mostly expired credit card numbers” accessed because they had been improperly entered into a field not intended for credit card data.
The credit card data was incomplete and not travel of loyalty profiles were accessed in full, according to the airline.
The data breach came despite spending by Cathay of more than $HK1 billion on IT infrastructure and security in the previous three years
The airline told the Legislative Council in a submission that its IT specialists were not impacted by a 2017 restructuring that saw hundreds of other employees made redundant.
But it was unable to stop a sophisticated attack it says involved a number of complex systems and took significant time to analyze.
“Cathay and our affected passengers are victims of a cybercrime carried out by sophisticated attacker(s),’’ it said.
“Upon discovery, we immediately launched a comprehensive investigation with the help of external experts to determine what occurred and what information was affected.”
The airline said it verified early in the investigation that it flight safety systems were not affected and flight safety was never compromised.
It said its investigation on three objectives: investigation, containment and remediation; confirming which data had been accessed and whether it could be read by the attacker or attackers; and determining the types of compromised data attached to each affected passenger.
The nature of the attack involved a number of complex systems that took significant time, and an enormous amount of work, to analyze, it said
“Throughout our investigation of this incident, our foremost objective and primary motivation has been to support our affected passengers by providing accurate and meaningful information to them,” the airline said.
“Cathay respects the fact that all personal data needs to be protected and is important to the individual and we take our passengers’ concerns caused by this incident very seriously.
“The investigation was complex, longer than what we would have wished and we would have liked to have been able to provide this information sooner.”
The airline again apologized to passengers.
“We take our responsibilities with respect to our passengers’ personal data very seriously and we acknowledge that there are many lessons that we can and will learn from this event,’’ it said.