Cathay Pacific Airways said today it is working with 27 regulators in 15 jurisdictions to investigate a data breach that affected millions of passengers, as Hong Kong lawmakers grilled executives over how it handled the incident.
The executives did not answer repeated questions about whether the airline would compensate all affected customers or if it might face a hefty fine under new European Union privacy regulations, saying it was “too early” to comment.
Cathay has come under mounting criticism after it said late last month that about 9.4 million passengers‘ personal data had been accessed without authorisation, seven months after it became aware of the breach.
It was not immediately clear who was behind the breach or what the information might be used for, but Cathay said there was no evidence so far that personal information had been misused.
“The incident is a crisis,” company Chairman John Slosar told the committee. “It is the most serious one the airline has faced.”
Slosar again apologised for failing to protect customers’ data and said he regretted that the company could not investigate the attack more quickly.
Shares of Cathay, which slid to a nine-year low after news of the data leak last month, were up more than 4 percent on Wednesday, beating a flat broader market.
Cathay said in a document submitted to Hong Kong’s Legislative Council that it first detected suspicious activity on its network in March and that the attack continued in the following months and expanded in scope.
The airline then took until mid-August to conclude which passenger data had been accessed, according to the document, and it completed the identification of the personal data that pertained to each individual passenger on Oct. 24.
Slosar said that in future Cathay would instantly disclose any similar issues to the authorities.
The company denied the data breach was a result of layoffs at its IT department last year.
Cathay said an airline restructuring had been completed and it planned to hire 1,800 staff this year.
It also said it has spent over HK$1 billion ($127.7 million) on IT infrastructure and security over the past three years