Hong Kong-based Cathay Pacific Airways said Thursday it has discovered unauthorized access to the personal data of 9.4 million passengers but had no evidence the leaked information had been misused.

The breach was discovered during "ongoing security processes," the airline said in a statement.

Hong Kong's privacy commissioner, Stephen Kai-yi Wong, expressed "serious concern" over the lapse and urged companies to improve protection personal data.

He said his office would begin a compliance check of the airline. He urged people to change their passwords and enable "two-factor authentication," to help protect their data.

The news caused the airline's shares to plunge 6.5 per cent in early Hong Kong trading. By midday Thursday, Cathay Pacific's shares were down 5.1 per cent.

Cathay Pacific said the data stolen included names, nationalities; birth dates, phone numbers, addresses, passport and identity card numbers and expired credit card numbers, among other information. It said no passwords were compromised. It was contacting customers to advise them on how to protect themselves.

It also said customers could contact the airline at infosecurityΓåòcathaypacific.com.

"We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures," the airline's CEO, Rupert Hogg said in a statement.