HONG KONG, Kyodo - Hong Kong's flagship carrier Cathay Pacific Airways said late Wednesday that the personal information of 9.4 million of its passengers was exposed in a data breach that is currently under police investigation.
In a statement issued on the Stock Exchange of Hong Kong website, the Hong Kong-listed company said the breach involved data from passengers of Cathay Pacific and its subsidiary Dragon Airlines.
"Passenger data of approximately 9.4 million people has been accessed," the statement reads. "The company has no evidence that any personal information has been misused. There is no impact on flight safety."
It said the types of data accessed included passenger names, nationalities, dates of birth, passport and identity card numbers, email and physical addresses, telephone numbers, frequent flyer membership numbers, customer service remarks and travel history.
Approximately 860,000 passport numbers and some 245,000 Hong Kong identity card numbers were accessed.
In addition, 403 expired credit card numbers and 27 credit card numbers with no CVV -- the security code printed on the back -- were exposed, it said.
"We are very sorry for any concern this data security event may cause our passengers," Chief Executive Officer Rupert Hogg said in a separate statement. "No passwords were compromised."
The company said suspicious activities were first noticed in March and despite efforts to contain the matter, including conducting an investigation with assistance of a cybersecurity firm, "unauthorized access to certain personal data was confirmed in early May."
The city's privacy watchdog said it will look into the matter, local media reported.
The police confirmed that the company has contacted them and they "are looking into the matter."
The company, servicing some 240 destinations worldwide with a fleet of 200 aircraft, reported a loss for both 2016 and 2017 with huge fuel hedging losses, according to its financial statements. (Kyodo)