Cathay Pacific has admitted personal data of up to 9.4 million passengers has been accessed in a security breach.
The data that has been leaked included passport numbers, email addresses and expired credit card details.
Steve Malone, director of security product management at Mimecast said: "The Cathay Pacific breach is very concerning in terms of its scale and length of time taken to alert affected customers. It’s likely that EU citizens were included in a breach of this size and GDPR questions will be asked.
"Once personal information is compromised, cybercriminals can implement highly targeted spear-phishing and social engineering attacks, often via impersonation emails against friends or business contacts. These impersonation attacks are now the easiest way for criminals to steal money and valuable data.
Notified customers should change passwords as a precaution, says Malone, and they should alert their employer’s IT security teams to help look out for attacks misusing their personal information.
Cathay Pacific chief executive Rupert Hogg has apologised and said there had been "no evidence" that had surfaced to indicate the information had been misused.
In a statement, Hogg said: "We are very sorry for any concern this data security event may cause our passengers.
"We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures," Hogg said, adding that the airline was in the process of contacting affected passengers.
For more features and breaking news sign up to C&IT Magazine's daily Newstracker here.
Have you registered with us yet?
Register now to enjoy more articles
and free email bulletins.