Airline hit with data breaches

05 December 2018

No stranger to high profile cyber incidents, the airline industry has experienced two large data breaches in a matter of months; a reminder that personal data remains a significant exposure for the sector.

In October, Hong Kong-based Cathay Pacific Airways revealed that hackers had accessed the personal information of 9.4 million customers, the largest data breach to hit the airline sector to date. The incident followed a smaller, yet still significant, data breach at British Airways in September.

Cathay Pacific said passports, addresses and emails were exposed, although flight safety wasn’t compromised. The news caused the airline’s shares to fall almost 8% to a nine-year low. In a November update, Cathay Pacific said it is now working with 27 regulators in 15 jurisdictions to investigate the data breach. Describing the breach as a “crisis”, the airline’s Chairman John Slosar told a committee investigating the breach in Hong Kong that the incident is the “most serious” one the airline has faced.


Although few details of the cyber attack have been released, it took the airline seven months to disclose the data breach. The airline first became aware of the cyber attack in March, although the attack continued with intensity for several subsequent months. Explaining the delay, Cathay Pacific said it “wanted to be able to give a single, accurate and meaningful notification to each affected passenger, rather than to provide an overly broad and non-specific notice.

The airline took until mid-August to conclude its initial forensic investigation, but was only able to identify affected passengers in late October. Cathay Pacific said the investigation had been time consuming, as they had to understand the passenger data that had been accessed and whether it could be reconstructed outside its own IT systems.

Unlike the EU’s General Data Protection Regulation (GDPR), which requires companies to notify the regulator of a data breach within 72 hours, Hong Kong has no statutory requirement to report data breaches to their data protection regulator (PCPD). However, commenting on the Cathay Pacific breach, the PCPD says it has a statutory obligation to review data protection law and will make recommendations on the areas of the law that warrant amendments within months.


British Airways was quick to notify regulators and affected individuals of its data breach back in September. The airline said hackers had stolen personal data from 380,000 of its customers between 21 August and 5 September, in what is thought to be an online payment card-skimming attack.

However, a forensic investigation into the breach uncovered an earlier breach between 21 April and 28 July, which resulted in British Airways notifying a further 180,000 customers. The investigation also concluded that the initial breach affected fewer customers.

than first feared - of the 380,000 payment card details identified in September, only 244,000 were affected.

Cyber security researchers, Flashpoint and Risk IQ, reported that the credit card details of British Airways customers were for sale on the Darkweb priced between USD 9 and USD 50 each – generating as much as USD 12.2 million for cyber criminals. However, British

Airways says it has not received any verified reports of fraud as a result of the attack, believed to be the work of hacker group Magecart. The group is thought to be behind a series of online skimming attacks including; Ticketmaster, Cancer Research, Faber & Faber and Newegg in the US.


Both the British Airways and Cathay Pacific data breaches attracted the attention of claimant law firms specialising in class actions. UK-based law firm SPG Law, which was already building a class action against British Airways for its recent data breach, has said it plans to seek compensation for Cathay passengers through collective legal action overseas. The law firm is planning a class action in the UK for EU residents and another action in The Netherlands for other claimants, including those from Hong Kong and China.

SPG hopes to win “thousands, or possibly tens of thousands” in compensation for each affected customer. The law firm told the South China Morning Post that some of the affected customers will have a right to compensation from Cathay Pacific under Article 82 of the GDPR, which allows claims for non-financial damages, such as distress.


With its high dependency on technology, the aviation industry faces a broader range of cyber exposures than most other sectors. From business interruption and privacy liabilities, to fears over the potential threat to airline safety, cyber risk cuts across almost all parts of the airline industry.

As reliance on technology has grown, the airline industry has also been plagued with a series of system outages, which caused major disruption to services and reputational damage. In 2017, a major IT failure brought down the networks of British Airways. Southwest Airlines, Delta and United Airlines, who all suffered similar disruption from IT problems in 2016 and 2017. In 2016, hackers released confidential data on 400,000 members of Vietnam Airlines’ frequent fliers club. This followed a 2015 cyber attack that saw British Airways Executive Club accounts compromised and the 2014 attack against Japan Airlines, where hackers stole the details of up to 750,000 customers.


Physical damage and related business interruption are covered by airline hull and liability insurance, even where a cyber incident may be to blame. However, standard airline insurance excludes losses related to a data breach and systems outages, where physical damage is absent.

In response to these gaps in cover, JLT launched Airline Data and Reliance on Technology (DART) protection for airlines. The policy provides cover for the operational impact of a cyber incident on an airline, such as an unplanned outage or a security breach. The policy also covers security and privacy liability, data restoration and breach response costs, as well as covering liabilities associated with the GDPR.

Aviation insurance has long been a core specialism of JLT, and our cyber team has placed policies for a number of the world’s largest airlines and service providers.

Download cyber decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on