Hong Kong's flagship carrier has apologised over a data breach that led to frequent flyer miles being stolen and personal information of about 1,000 members exposed.

Cathay Pacific on Thursday said it was alerted to "fraudulent activities" on some membership accounts that "led to unauthorised access to personal data and theft of Asia Miles".

Data accessed by unauthorised parties included personal particulars and travel details, according to the carrier, but no credit card information was exposed.

"Our preliminary investigation suggests that Asia Miles theft by unauthorised parties was the primary motivation, though the misuse of personal data remains a possibility. The unauthorised parties used valid members' credentials, some of which were found to be exposed on the internet, to log in and then fraudulently bypassed the secondary verification process to access Asia Miles in the accounts," it said.

"The secondary verification issue has already been rectified and the process further strengthened by Cathay to ensure similar incidents will not happen again."

Asia Miles is Cathay's loyalty and frequent-flyer programme that allows members to earn points on flights and hotels, among other things.

The airline said most of the 1,000 Cathay accounts affected by the incident belong to Hong Kong-based members.

"For the majority of the affected members, we have already been in contact with them, restored their accounts and reinstated their lost Asia Miles. We are now in the process of verifying the identities of the remaining affected members, whose accounts have been temporarily locked for security purposes," it said.

Cathay said it has reported the incident to the authorities, including the city's privacy watchdog, and hired an external expert to conduct a comprehensive independent probe.

The Office of the Privacy Commissioner for Personal Data, for its part, said it was notified of the incident last Tuesday and had initiated a compliance check.

It said 724 accounts of Hong Kong-based members were affected with personal information of 2,216 customers possibly being compromised, based on data submitted by Cathay.

The office added it has not received any enquiries or complaints relating to the incident.
_____________________________
Last updated: 2025-07-24 HKT 20:58