Cathay Pacific has issued an apology after its loyalty program, Asia Miles, was targeted in a cyber attack that resulted in the theft of air miles and the compromise of personal information. The breach affected roughly 1,000 member accounts, with the airline stating that the primary motivation appeared to be the fraudulent acquisition of miles. In a statement, Cathay confirmed that while personal particulars and travel details were exposed, no sensitive credit card information was accessed during the incident.
The breach was executed by unauthorized parties who used valid member credentials, some of which had been previously exposed online from unrelated security incidents. These attackers then exploited a specific vulnerability in Asia Miles’ secondary verification process, allowing them to bypass security checks and gain access to accounts. According to Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD), the breach affected 724 members in Hong Kong, potentially compromising the data of 2,216 individuals, including names, genders, dates of birth, email addresses, and travel document information.
In response to the attack, Cathay Pacific has taken immediate remedial action.
The airline has rectified the security issue in its verification process and implemented further safeguards to prevent a recurrence. For the majority of the impacted members, Cathay has already restored their accounts and reinstated the stolen miles. The remaining affected accounts have been temporarily locked for security purposes, with the airline now in the process of verifying identities before restoring full access and compensating for any lost mileage.
The incident has been formally reported to the relevant authorities, including the PCPD, which confirmed it received a data breach notification from Cathay on July 15. While the PCPD has not yet received any direct complaints from the public regarding the incident, it has launched a compliance review into the matter.
Furthermore, Cathay Pacific has engaged an external cybersecurity expert to conduct a thorough and independent investigation into the breach to fully understand its scope and mechanics.
In the wake of the attack, Cathay has issued a broader security advisory to all its members, urging them to remain vigilant. The airline recommends protecting passwords by not sharing them, updating them regularly, and switching to more secure passkey authentication where available. Members are also advised to be wary of potential phishing attempts, to avoid opening unverified links or attachments, and to stay alert for any suspicious communications or potential fraudulent activities related to their accounts.
Reference:
