A major cyberattack that saw the data of 9.4 million Cathay Pacific Airways customers stolen by hackers was far worse than the airline has previously admitted.

Rather than the “suspicious activity” it said it had discovered on its billion-dollar computer network in March, the carrier revealed that it had been the target of an intense attack lasting more than three months.

Cathay made the shock admission in a written submission to Hong Kong lawmakers ahead of a committee hearing to question the airline’s management team on Wednesday morning.

Such was the intensity of the attack, Cathay said internal and external IT security experts had to focus solely on containment and prevention throughout March, April and May.

The airline also revealed it had spent US$127mil (RM531mil) over three years on IT infrastructure and security, but this had not been enough to stop what it called “sophisticated attackers” repeatedly targeting and breaching its system.

Cathay’s investment in its IT system included spending money on two large data servers and cloud computing, and came during a period when it generated HK$292bil (RM156bil) in revenue.

On Oct 24, the airline revealed it had suffered a major data breach seven months earlier, and said it had taken steps to investigate whether customer data had been compromised.

It took until mid-August for investigators to discover what hackers had been able to steal, and how it had affected customers.

“Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter,” the airline said in its statement. “These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention.”

Cathay’s revelations contradict statements it made earlier about what it knew about the cyberattack, and when.

The hack has prompted a formal investigation by the Hong Kong privacy watchdog, while a police investigation is ongoing.

“The investigation was complex, longer than what we would have wished, and we would have liked to have been able to provide this information sooner,” the airline said.

Cathay, one of Asia’s largest international carriers, has been roundly criticised for not telling customers about the hack immediately. On Monday it repeated expressions of “great regret” and “sincere apologies” to the affected passengers, and hoped to “continue to earn their confidence and trust”.

“Throughout our investigation into this incident, our foremost objective and primary motivation has been to support our affected passengers by providing accurate and meaningful information,” the statement said.

Information accessed by the hackers included passengers’ names, nationalities, dates of birth, telephone numbers, emails, physical addresses, frequent flier programme membership numbers, passport numbers, Hong Kong ID card numbers, and expired credit card numbers.

Of the 9.4 million people affected, customers included members of the Asia Miles loyalty programme, Marco Polo Club frequent flier scheme, as well as non-member passengers.

Cathay CEO Rupert Hogg and one of his deputies, Paul Loo Kar-pui, chief customer and commercial officer responsible for the airline’s IT division and chairman of Asia Miles, were expected to attend the committee hearing on Wednesday. – South China Morning Post