HONG KONG, Kyodo - Hong Kong's flagship carrier Cathay Pacific Airways said Thursday it "regrets" that the personal information of 9.4 million passengers was exposed in a data breach now under police investigation.
"The matter has caused concerns among many of our passengers. I want to express our regrets," Cathay Pacific's chief customer and commercial officer Paul Loo said in a radio program. "In most cases, passengers' names and email addresses, or their names and phone numbers were accessed."
Loo said suspicious activity was first noticed in March and unauthorized access to certain personal data was confirmed in May. He defended the delay in disclosing the breach, saying the company needed time to find out how each customer was affected."
"We didn't want to create an unnecessary scare," Loo said, while adding that affected passengers will be informed in the next two days, adding a website was set up for passengers to find out if they are among the 9.4 million.
In a statement issued on the Stock Exchange of Hong Kong website late Wednesday, the Hong Kong-listed company said the breach involved passenger data from Cathay Pacific and its subsidiary Dragon Airlines.
It said the types of data accessed included passenger names, nationalities, dates of birth, passport and identity card numbers, email and physical addresses, telephone
numbers, frequent flyer membership numbers, customer service remarks and travel history.
Approximately 860,000 passport numbers and some 245,000 Hong Kong identity card numbers were accessed.
The company reported the case to police and the Privacy Commissioner on Wednesday, he added.
Police said its cybersecurity and technology crime unit is investigating the case, which is listed as "accessing computer with criminal or dishonest intent."
Privacy Commissioner Stephen Wong said Thursday that Cathay Pacific's late revelation of the data leak is "unethical" and unacceptable under European Union regulations that require companies notify regulators about breaches within 72 hours.
But he conceded that companies in Hong Kong are not required to report data breaches.
"We are notifying passengers who we believe may have been affected. I appreciate that this news may cause you concern and I am sorry," Chief Executive Officer Rupert Hogg said in a video-clip posted on the company's website.
"We have no evidence that any personal data has been misused, and we are offering optional, complimentary ID monitoring to affected passengers."
According to its website, the ID monitoring service will monitor if personal data of affected passengers may be available on public websites, chat rooms, blogs, and non-public places on the internet where data can be compromised such as dark web sites.
The company, servicing some 240 destinations worldwide with a fleet of 200 aircraft, reported a loss for both 2016 and 2017 with huge fuel hedging losses, according to its financial statements.