A UK law firm called SPG Law has launched a group action against Cathay Pacific Airways after the airline announced that data of about 9.4 million passengers of Cathay and its unit, Hong Kong Dragon Airlines, had been breached.

One of the global travel industry’s most serious data breaches ever, the data included sensitive personal information like full names, some debit/credit card numbers, passport numbers, identity card numbers, historical travel data, home and business addresses and email addresses.

Cathay said 860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed in the breach, according to Reuters.

The airlines admitted to initially discovering suspicious activity on its network in March 2018 and in early May investigations confirmed that personal data of numerous data had been accessed.

SPG Law says that to date, Cathay Pacific has not offered to compensate individuals for direct financial losses or agreed to pay compensation for non-material damage despite being liable to do so for European customers under the General Data Protection Regulation (GDPR), which was launched in May this year. 

The firm has launched a page on its website to help the affected customers claim and obtain compensation.


To contact the editorial team, please email ALBEditor@thomsonreuters.com.