Cathay Pacific says 9.4 million passengers affected by data breach

Shares of Cathay Pacific Airways Ltd slid nearly sevenper cent to a nine-year low on Thursday after it said data of about 9.4 million passengers of Cathay and its unit, Hong Kong Dragon Airlines Ltd, had been accessed without authorization.

Cathay said late on Wednesday that in addition to 860,000 passport numbers and about 245,000 Hong Kong identity card numbers, the hackers accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).

The company said it discovered suspicious activity on its network in March 2018 and investigations in early May confirmed that certain personal data had been accessed.

Hong Kong's privacy commission on Thursday expressed serious concern over the data breach and urged the airline to notify passengers affected by the leak as soon as possible and provide details immediately.

'The market demands more details'

Shares of Cathay Pacific slid as much as 6.8 per cent on Thursday to $1.65 Cdn, their lowest in nine years. That compared with a twoper cent fall for the benchmark Hang Seng Index.

The stock pared losses and was down 4.9 per cent at midday.

"People are concerned about why it took so long for them to make an announcement," said Linus Yip, chief strategist at First Shanghai Securities.

"The market demands more details and explanation."

Airline defends delay

Cathay Pacific's chief customer and commercial officer, Paul Loo, defended the length of time it took the airline to alert affected passengers.

"We didn't want to create an unnecessary scare. Now we understand very well how each customer has been affected," Loo told broadcaster RTHK, adding that those affected would be notified in the next two days.

Cathay told Reuters it was important to have accurate information so that people know the facts.

"Now that we have conducted a thorough investigation, we are notifying anyone who has potentially been affected," the airline said in an email statement.

Not clear if info has been misused

It was not immediately clear who was behind the data breach or what the information might be used for.

Cathay said the Hong Kong Police had been notified about the breach and there was no evidence that any personal information had been misused. Analysts were cautious.

"We expect its share price to remain jittery in the near term," BOCOM International's Geoffrey Cheng said in a research note. "We will revisit our earnings forecasts and review our rating for CPA soon."

The data breach comes as the airline is undergoing a turnaround designed to cut costs and increase revenue, after back-to-back years of losses, to allow it to better compete against rivals from the Middle East, mainland China and budget airlines.

In August, Cathay Pacific posted a narrower half-year loss on a strong rise in airfares and cargo rates and flagged expectations for a better second half despite economic headwinds from mounting U.S.-China trade tensions.

The hack also comes more than a month after British Airways apologized over the theft of credit card details of hundreds of thousands of its customers over a two-week period in an attack on its website and app.