The big picture: Hong Kong-based airline Cathay Pacific Airlines announced on Wednesday that it had uncovered a breach of its information systems. It estimates that the data of as many as 9.4 million customers have been exposed. It did not mention that the unauthorized activity occurred in March of this year.

The international airline emailed customers urging them to change their passwords, even though in its announcement it said that no passwords were compromised.

“No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised,” said Cathay Pacific CEO Rupert Hogg.

The company claims that it took immediate action to contain the data breach and investigate the incident.

The exposed information includes passenger names; nationalities; dates of birth; phone numbers; emails; addresses; passport numbers; identity card numbers; frequent flyer program membership numbers; customer service remarks; and historical travel information. However, Hogg said that there is no evidence that any of the data has been misused.

"We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures."

Additionally, credit card numbers were accessed. Cathay Pacific tried to play this fact down in its announcement by noting that 403 of the cards were expired. This fact is meaningless considering that when your card expires the number is still valid once it’s renewed. The other 27 current cards that were compromised did not have the CVV attached. This too is of little comfort since a three-digit CVV is not hard to crack once you have the credit card number according to Naked Security.

The airline also did not mention that the unauthorized access took place clear back in March. Since China operates under the European Union’s General Data Protection Regulation (GDPR), even Chinese companies are required to report a data breach within 72 hours. Failure to notify in a timely manner can result in a fine equal to four percent of a company’s annual income.

However, Cathay Pacific is likely going to avoid punishment in this case since the incursion occurred before the GDPR took effect on May 25.

The South China Morning Post notes, “Cathay Pacific Airways looks set to escape heavy penalties under Hong Kong, United States, and European Union privacy laws, even as it faces universal condemnation for keeping a massive data breach secret for seven months. Corporate lawyers said Cathay may have narrowly escaped punishment, as the breach was discovered about three months before a rule change on May 25.”

Flyers who fear they may have been exposed are encouraged to contact Cathay Pacific. Information for getting in touch over this matter is on the company’s infosec website.