How many customers were affected by the Cathay Pacific data breach?

The breach impacted approximately 1,000 Cathay Pacific accounts, with the majority belonging to Hong Kong-based members. Additionally, personal information of another 2,216 Hong Kong customers were potentially compromised, bringing the total number of potentially affected customers to over 3,200.

What types of personal information were exposed in the breach?

The exposed data includes personal details of account holders, travel details and booking information, Asia Miles balances and account activity, and account access credentials and login information. This comprehensive data exposure could potentially be used for identity theft or fraudulent travel bookings.

Were stolen Asia Miles points returned to affected customers?

Yes, Cathay Pacific has reinstated any stolen Asia Miles points for the majority of compromised accounts that have been restored to secure status. This ensures that customers who had their loyalty points stolen by cybercriminals have been made whole in terms of their frequent flyer benefits.

When was the breach discovered and reported to authorities?

While the breach was publicly reported on July 24, 2025, Cathay Pacific had actually reported the incident to Hong Kong's privacy authorities over a week earlier, suggesting the airline discovered the breach in mid-July 2025 and followed proper regulatory notification procedures before making a public announcement.

What vulnerability did the attackers exploit to bypass security measures?

The attackers exploited a vulnerability in Cathay Pacific's secondary verification process to bypass additional security measures. While the specific technical details of this vulnerability have not been disclosed, it allowed cybercriminals to circumvent multi-factor authentication or other secondary security controls that should have prevented unauthorized access even with valid credentials.

Why were some customer accounts temporarily locked?

Some affected customer accounts have been temporarily locked for security purposes while Cathay Pacific verifies the identities of account holders and implements additional protective measures. This precautionary step helps ensure that only legitimate account owners regain access and prevents further unauthorized access during the security enhancement process.

What should Cathay Pacific customers do to protect their accounts?

Cathay Pacific customers should monitor their Asia Miles accounts for any suspicious activity, change their account passwords if they haven't done so recently, enable any additional security features offered by the airline, and be vigilant for potential phishing attempts that could exploit the stolen personal information. Customers should also check their travel bookings for any unauthorized changes or fraudulent transactions.

Incident

Cathay Pacific loyalty program breach exposes customer data

Q: What data breach did Cathay Pacific Airways experience?

Cathay Pacific Airways, Hong Kong's flagship carrier, reported a data breach affecting its Asia Miles frequent flyer program. Cybercriminals stole loyalty points and accessed personal information from approximately 1,000 customer accounts. The breach was publicly reported on July 24, 2025, though the airline had reported the incident to Hong Kong's privacy authorities over a week earlier.

Q: How did the cybercriminals gain access to Cathay Pacific accounts?

Cybercriminals used valid member credentials that had been previously exposed on the internet to gain unauthorized access to customer accounts. The attackers then exploited a vulnerability in Cathay Pacific's secondary verification process to successfully bypass additional security measures and access Asia Miles balances within the compromised accounts.

published: July 24, 2025

Learn More

Cathay Pacific Airways, Hong Kong's flagship carrier is reporting a data breach affecting its Asia Miles frequent flyer program.

Cybercriminals stole loyalty points and accessed personal information from approximately 1,000 customer accounts. The breach was publicly reported on July 24, 2025, bit the airline reported the incident to Hong Kong's privacy authorities over a week earlier.

Cybercriminals used valid member credentials, some of which had been previously exposed on the internet, to gain unauthorized access to customer accounts. The attackers then exploited a vulnerability in Cathay Pacific's secondary verification process to successfully bypass additional security measures and access Asia Miles balances within the compromised accounts.

Exposed Data Types:

Personal details of account holders
Travel details and booking information
Asia Miles balances and account activity
Account access credentials and login information

The breach impacted approximately 1,000 Cathay Pacific accounts, the majority belonging to Hong Kong-based members. Personal information of additional 2,216 Hong Kong customers were potentially compromised

For the majority of compromised accounts, Cathay Pacific has already contacted affected members, restored their accounts to secure status, and reinstated any stolen Asia Miles points. Remaining affected customers have had their accounts temporarily locked for security purposes while the airline verifies their identities and implements additional protective measures.

Read More
Aya Healthcare reports data breach exposing personal information …
Air Europa reports breached credit card payment system
Home security/alarm company ADT reports second data breach …
PointClickCare reports data breach, exposing residents of long-term …
Facial Recognition Software of Tamil Nadu Police hacked, …