Cathay Pacific has disclosed a cybersecurity incident affecting its frequent flyer program, with approximately 1,000 Asia Miles accounts compromised by unauthorized parties.
The airline confirmed that while members' personal details and travel information were accessed, no financial data or credit card information was exposed in the breach.
“Our preliminary investigation suggests that Asia Miles theft by unauthorised parties was the primary motivation, though the misuse of personal data remains a possibility.” The airline wrote in a statement.
The breach occurred when cybercriminals obtained valid member credentials, some of which were previously exposed in unrelated internet leaks. These credentials were then used to bypass Cathay's secondary verification system through a now-patched vulnerability. The airline has since strengthened its authentication processes to prevent similar incidents.
Most affected members are based in Hong Kong, with Cathay already contacting the majority to restore accounts and reinstate stolen miles. A small number of accounts remain temporarily locked as identity verification continues. The airline pledged to resolve all cases promptly.
Cathay has reported the incident to Hong Kong's Privacy Commissioner and engaged independent cybersecurity experts to conduct a thorough investigation.
The breach represents the carrier's first major security incident since its 2018 data leak that affected millions of passengers.
The airline has issued renewed security guidance, urging members to adopt passkey authentication, regularly update passwords, and remain vigilant against phishing attempts.
Cathay emphasized that legitimate communications will never request sensitive information via email or links.
In response, the Office of the Privacy Commissioner for Personal Data said Cathay notified them that among the 1,000 accounts, 724 belong to members in Hong Kong, which could have caused the personal information of 2,216 of the airline's Hong Kong customers.
That includes the level of the member, name, gender, date of birth, date of joining the program, country or region of residence, mileage point balance, email address, phone number, address, meal and seat preference, redemption group members' names, and traveling document information.
The office has yet to receive any complaints or inquiries, while it will launch a probe into the incident in accordance with existing protocols.
(Updated at 8.19 pm)
