You have turned off cookies for this site. Please enable cookies for a better browsing experience.
Please upgrade your web browser
You are using an unsupported browser. See our supported browsers to enjoy the very best experience of our site.

Important information: data security event

Latest update: 24 Oct 2018 22:30 HKT (GMT+8)

Official emails relating to this data security event will be sent from an address with the format infosecurity@cathaypacific.com.

With regard to this data security event, we will never request your personal or financial information, and we will never ask for your password.

If you are concerned about an email, we recommend that you don’t click on any links, open any attachments or reply to it.

We would like to inform you of a data security event that may involve some of your personal data. We are very sorry for any concern that this event may cause you, and this notice will provide you with information about what happened and how we can assist you.

What Happened.

We initially discovered suspicious activity on our network in March this year. Upon discovery, we took immediate action to contain the event, to commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures. Unauthorised access to certain personal data was confirmed in early May. Since that time, analysis of the data has continued in order to identify affected individuals and to determine whether the data at issue could be reconstructed.

We have no evidence that any personal data has been misused. We recommend that you follow the steps outlined in this notice to help protect yourself against potential risks.

What Information Was Involved.

The following types of personal data of Cathay Pacific and Cathay Dragon passengers was accessed: name; nationality; date of birth; phone number; email; address; passport number; frequent flyer programme membership number; customer service remarks and historical travel information.

The combination of data accessed varies for each affected passenger.

No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.

What Are We Doing.

We are contacting affected passengers to provide information on steps that you can take to protect yourself. If you are an affected member of the Marco Polo Club, Asia Miles or a Registered User, you will be contacted individually in the coming days. In that communication, we will tell you which specific types of personal information about you may have been accessed.

If you believe you may have been affected, you can submit a request here and we will tell you if we have identified your personal data as having been accessed.

We are offering ID monitoring services to affected passengers and this will be provided by Experian, a global data and information service provider. This service (IdentityWorks Global Internet Surveillance) monitors if your personal data may be available on public websites, chat rooms, blogs, and non-public places on the internet where data can be compromised such as dark web sites.  If you are an affected member of the Marco Polo Club, Asia Miles or a Registered User, we will contact you individually with relevant information.

We have notified, or are notifying, the relevant authorities and the Hong Kong Police.

What You Can Do.

Although no-one’s travel or loyalty profile was accessed in full and no passwords were compromised, as best practice, we recommend that you consider:

  • changing your passwords regularly;
  • checking for any suspicious activity; and
  • being vigilant against phishing or other attempted scams.

As mentioned above, we are offering ID monitoring services to affected passengers.  If you are an affected member of the Marco Polo Club, Asia Miles or a Registered User, we will contact you individually with relevant information. If you are not sure if you are affected, please register your enquiry with us and we will get back to you.

For information on passport replacements please see the State Department’s website regarding lost or stolen passports here.

We also recommend that our passengers remain vigilant with respect to reviewing account statements and monitoring credit reports for unauthorized activity, and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities, including local law enforcement, your state’s attorney general and/or the Federal Trade Commission (“FTC”).  In addition, we have provided supplemental information regarding further actions you may consider and resources to obtain additional information about identity theft and ways to protect yourself.

For More Information.

If you have any further questions about the event, more information is available at infosecurity.cathaypacific.com, or you can:

We want to reassure you that there is no impact on flight safety as the IT systems affected are totally separate from our flight operations systems, and that we took and continue to take measures to enhance our IT security. Your safety and security remains our top priority.

 

For your information:

  • Asia Miles is owned by, and provided to members by Cathay Pacific Airways Limited, and is managed and operated by Asia Miles Limited, a wholly owned subsidiary of Cathay Pacific Airways Limited, as an agent of Cathay Pacific Airways Limited.
  • Hong Kong Dragon Airlines Limited is a wholly owned subsidiary of Cathay Pacific Airways Limited and Cathay Pacific Airways Limited manages and provides IT support services to Hong Kong Dragon Airlines Limited.

Additional information

Contact information for the three nationwide credit reporting companies is as follows:

Equifax

  • Phone: 1-800-685-1111
  • P.O. Box 740256, Atlanta, Georgia 30348
  • www.equifax.com

Experian

TransUnion

 

Free Credit Report. 

We remind you to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity.   You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228.  You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s (“FTC”) website at www.consumer.ftc.gov) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.

For Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, Puerto Rico, and Vermont residents:

You may obtain one or more (depending on the state) additional copies of your credit report, free of charge.  You must contact each of the credit reporting agencies directly to obtain such additional report(s).

Fraud Alert.

You may place a fraud alert in your file by calling one of the three nationwide credit reporting agencies above. A fraud alert tells creditors to follow certain procedures, including contacting you before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit.

For Colorado and Illinois residents: You may obtain additional information from the credit reporting agencies and the FTC about fraud alerts.

Security Freeze.

You have the ability to place a security freeze on your credit report.  A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent. To place a security freeze on your credit report, you may be able to use an online process, an automated telephone line, or a written request to any of the three credit reporting agencies listed above.

The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. The credit reporting agencies may charge a fee to place a freeze, temporarily lift it or permanently remove it. The fee is waived if you are a victim of identity theft and have submitted a valid investigative or law enforcement report or complaint relating to the identity theft incident to the credit reporting agencies. (You must review your state’s requirement(s) and/or credit bureau requirement(s) for the specific document(s) to be submitted.)

For Massachusetts residents: The fee for each placement of a freeze, temporary lift of a freeze, or removal of a freeze is $5.

For Rhode Island residents: The credit bureaus may require you to pay a fee to place, lift, or remove the security freeze.

For New Mexico residents: You may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.

For Colorado and Illinois residents: You may obtain information from the credit reporting agencies and the FTC about security freezes.

Federal Trade Commission and State Attorneys General Offices.

If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your home state. You may also contact these agencies for information on how to prevent or avoid identity theft.  You may contact the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/, 1-877-IDTHEFT (438-4338).

For Maryland Residents: You may contact the Maryland Office of the Attorney General, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us, 1-888-743-0023.

For North Carolina residents: You may contact the North Carolina Office of the Attorney General, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov, 1-877-566-7226.

For Rhode Island Residents: You may contact the Rhode Island Office of the Attorney General, 150 South Main Street, Providence, RI 02903, http://www.riag.ri.gov, 401-274-4400

Reporting of identity theft and obtaining a police report.

You have the right to obtain any police report filed in the United States in regard to this incident.  If you are the victim of fraud or identity theft, you also have the right to file a police report.

For Iowa residents: You are advised to report any suspected identity theft to law enforcement or to the Iowa Attorney General.

For Massachusetts residents: You have the right to obtain a police report if you are a victim of identity theft.  You also have a right to file a police report and obtain a copy of it.

For Oregon residents: You are advised to report any suspected identity theft to law enforcement, the Federal Trade Commission, and the Oregon Attorney General.

For Rhode Island residents: You have the right to file or obtain a police report regarding this incident.

Number of Rhode Island Residents Affected: Approximately 1