Major international airline Cathay Pacific revealed today that as many as 9.4 million passengers had their records stolen in a data breach that occurred in March. Passport information, including identity card numbers, names, dates of birth, and postal addresses may all have been compromised.

The breach also included details about where each passenger had traveled and any comments made by customer service representatives. The amount of data accessed varied among passengers. Cathay also noted that 403 expired credit card numbers were accessed and so were 27 credit card numbers with no CVV numbers attached. We’ve reached out to the airline to ask if other credit cards with CVVs that haven’t expired were accessed.

In a statement on Wednesday, the airline said, “The company has no evidence that any personal information has been misused. The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety.” It also said that no passwords were compromised.

Cathay Pacific’s breach exposed passport details

Cathay Pacific is based in Hong Kong but serves flights around the world, including in North America, Europe, China, Taiwan, Japan, Southeast Asia, and the Middle East. While airlines like Delta and British Airways have been increasingly targeted by cyberattacks in the past year, the breach Cathay suffered is notable for exposing passport details. Internet security company Webroot’s senior security analyst Randy Abrams told The Verge in an email, “The Cathay Pacific breach disclosed a feature-rich set of data, including more than 40 times more passports than the Air Canada breach, meaning it will have a much greater impact on passengers.”

The breach also differs from others because Cathay took over six months from the time the breach occurred in March to announcing it in public now. As the company has a presence in Europe, it might run into trouble with newly passed General Data Protection Regulation (GDPR) rules that require companies to tell customers and law enforcement within three days of discovering a breach. “In addition to the reputation cost, Cathay Pacific may face costly GDPR repercussions due to the amount of time that passed,” Abrams said.

The airline is communicating with local police in Hong Kong and other relevant authorities, it said. Customers who think they might have been affected should visit infosecurity.cathaypacific.com or call or email the company directly.