Cathay Pacific has discovered unauthorised access to some of its information systems, containing passenger data of up to 9.4 million people.
The company said it has no evidence that any personal information has been misused.
The IT systems affected are “totally separate” from its flight operations systems, and there is no impact on flight safety, the Hong Kong-based carrier said.
Cathay Pacific chief executive, Rupert Hogg, said: “We are very sorry for any concern this data security event may cause our passengers.
“We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.”
He added: “We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves.
“We have no evidence that any personal data has been misused.
“No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”
The following personal data was accessed: passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks; and historical travel information.
Some 860,000 passport numbers and about 245,000 Hong Kong identity card numbers are among the data stolen.
In addition, 403 expired credit card numbers were accessed.
Twenty-seven credit card numbers with no CVV were accessed.
The combination of data accessed varies for each affected passenger.
Cathay Pacific said it had notified the Hong Kong Police and is notifying the relevant authorities .
Anyone who believes they may be affected can contact Cathay Pacific at [email protected]
The suspicious activity was first discovered in March, and the loss of personal information was confirmed in May.
Hogg added: “We want to reassure our passengers that we took and continue to take measures to enhance our IT security.
“The safety and security of our passengers remains our top priority.”
Ted McKendall, chief technology officer at Trusted Knight explained: “This is a catastrophe of a data breach, which makes British Airways’ leak last month look trivial by comparison.
“What is staggering here is firstly, the sheer volume of passengers affected – 9.4 million people is greater than the population of many countries; secondly, the nature of the data that has been accessed; and thirdly, how long it took the airline to alert customers.
“There are no details of how the breach was executed yet, but I can only assume that the extreme delay between identifying the breach and notifying customers is because the airline was trying to patch its systems first.”