Airline passenger records contain both personal and sensitive details of a person. Including passport information, identity cards numbers, names, birthdays, even mailing addresses. According to The Verge, Cathay Pacific had also confirmed that 403 expired credit card numbers were compromised, along with 27 active credit card numbers, but with no CVV numbers attached to them.
Cathay Pacific also released a statement, saying that no evidence of misuse of the personal information that was obtained from the hack has surfaced thus far. It also said that no passwords were compromised, to best of its knowledge. The magnitude of the breach does beggar belief. Usually, companies that suffer from cyber attacks have an obligation to inform both the public and its shareholders of such incidents within a reasonable time slot. The fact that the airline took this long also suggests that it was trying to keep the situation under wraps, while actively seeking out the parties responsible for the breach.
That’s not even including the potential legal ramifications that Cathay Pacific will now have to deal with, especially in Europe. Given its heavy presence in the region, it is highly likely that the EU will mete out some form of punishment to the airline via the recently passed GPDR rules. One of which states that companies affected by a data breach must report the incident to both customers and law enforcement agencies within three days from its discovery. If you feel like you were one of the people affected by the data breach, you can contact the airline directly or visit this official page for more information. (Source: The Verge via Cathay Pacific)