Cathay Pacific Airways Ltd., the flag carrier of Hong Kong, is the latest airline to be hacked, with 9.4 million customer records stolen.

Data stolen in the hack, which occurred in March but only disclosed now, included passenger names, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer program membership number, customer service remarks and historical travel information. In a very few cases, credit card data was also stolen.

It’s not clear how the hack happened, but it does follow a hack of British Airways in September that was later linked to a hacking gang dubbed “Magecart.”

“The Cathay Pacific breach is very concerning in terms of its scale and length of time taken to alert affected customers,” Steve Malone, director of security product management at Mimecast Services Ltd., told SiliconANGLE. “It’s likely that EU citizens were included in a breach of this size and GDPR questions will be asked.”

This kind of information allows cybercriminals to do highly targeted spear phishing and social engineering attacks, often via impersonation emails against friends or business contacts, Malone explained.

“These impersonation attacks are now the easiest way for criminals to steal money and valuable data,” he said. “Notified customers should change passwords as a precaution and alert their employer’s IT security teams to help look out for attacks misusing their personal information.”

Kevin Stear, lead threat analyst at JASK Inc., noted the “ever-deteriorating state of identity protection and overall online trust,’ saying it’s further worrisome that many people have become desensitized to these breaches.

“This latest instance involves millions of individuals’ personal data that, when used on its own or in combination with other sources, can be a viable means for hacking identities through account takeovers and other means of impersonation,” Stear said. “This also begs the same question we’ve asked of the energy sector for several years: How far removed are these actors from actually affecting critical airline systems? It’s possible (and even likely) that these systems could already be breached today.”

Photo: Adrian Pingstone/Wikimedia Commons