Cathay Pacific has discovered unauthorised access to some of its information systems, containing passenger data of up to 9.4 million people.
The company said it has no evidence that any personal information has been misused.
The IT systems affected are “totally separate” from its flight operations systems, and there is no impact on flight safety, the Hong Kong-based carrier said.
The following personal data was accessed: passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks; and historical travel information.
Some 860,000 passport numbers and about 245,000 Hong Kong identity card numbers are among the data stolen.
In addition, 403 expired credit card numbers were accessed. Twenty-seven credit card numbers with no CVV were accessed.
Cathay Pacific said it had notified the Hong Kong Police and is notifying the relevant authorities .
The suspicious activity was first discovered in March, and the loss of personal information was confirmed in May.