Cathay apologises over data breach affecting 1,000 Asia Miles accounts

Cathay Pacific has apologised after its loyalty programme Asia Miles fell prey to a cyber attack which affected around 1,000 accounts, with mileage stolen, and personal data and travel details compromised.

In a statement seen by MARKETING-INTERACTIVE, Cathay said personal data includes personal particulars and travel details, but no credit card information was exposed.

Cathay’s preliminary investigation indicates that theft of Asia Miles by unauthorised parties was the primary motivation, although the misuse of personal data remains a possibility. “The unauthorised parties used valid members' credentials, some of which were found to be exposed on the internet, to log in and then fraudulently bypassed the secondary verification process to access Asia Miles in the accounts, by exploiting an issue in such process,” the statement reads.

Cathay has identified that approximately 1,000 Cathay accounts, most of which belong to Hong Kong-based members, were impacted by this incident. “For the majority of the affected members, we have already been in contact with them, restored their accounts and reinstated their lost Asia Miles. We are now in the process of verifying the identities of the remaining affected members, whose accounts have been temporarily locked for security purposes. We shall contact them individually as soon as possible to restore their accounts and reinstate any lost Asia Miles,” it said.

Furthermore, the secondary verification issue has been rectified, and the process has been further strengthened by Cathay to ensure that similar incidents do not happen again.

Cathay has reported this incident to the relevant authorities, including the Office of the Privacy Commissioner for Personal Data (PCPD), and has engaged an external expert to conduct a comprehensive independent investigation into the incident. 

Cathay has reminded its members to stay vigilant by protecting their passwords, avoiding sharing them with third parties, updating them regularly and changing to passkey authentication as an upgraded security measure. It has also suggested members remain alert to phishing attempts, be cautious of any unknown or suspicious communications, refrain from opening unverified links or attachments, and remain aware of potential fraudulent activities.

On the other hand, the PCPD said in a statement that it has not received any inquiries or complaints regarding the theft of Asia Miles. It received a notification of a data breach from Cathay on 15 July. Further information submitted on 24 July indicated that around 1,000 member accounts worldwide were affected, including 724 from Hong Kong.

This may have compromised the personal data of 2,216 Hong Kong customers, including details such as name, gender, date of birth, email address, and travel document information. While Cathay has begun notifying the affected individuals, the PCPD has initiated a compliance review.

Related articles:

Cathay Pacific maps out Hong Kong one KM² at a time for SEA explorers
Cathay Cargo recreates a modern-day ark with AI-inspired campaign
Cathay and HKYAA join forces to inspire aviation enthusiasts