Cathay pacific
A Cathay Pacific Airways Airbus A350-900 airplane approaches to land at Changi International Airport in Singapore, June 10, 2018. REUTERS/Tim Chong/File Photo

Shares of Cathay Pacific Airways Ltd (0293.HK) dropped more than 6 percent on Thursday to a nine-year low after it said data of about 9.4 million passengers of Cathay and its unit, Hong Kong Dragon Airlines Ltd, had been accessed without authorization.

Cathay said late on Wednesday that in addition to 860,000 passport numbers and about 245,000 Hong Kong identity card numbers, the hackers accessed 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).

The company said it initially discovered suspicious activity on its network in March 2018 and investigations in early May confirmed that certain personal data had been accessed.

Hong Kong's privacy commission on Thursday expressed serious concern over the data breach and urged the airline to notify passengers affected by the leak as soon as possible and explain details immediately.

Shares of Cathay Pacific slid more than 6 percent on Thursday to HK$9.95, their lowest in nine years. That compared with a 2 percent fall for the benchmark Hang Seng Index (.HSI).

It was not immediately clear who was behind the data breach or what the information might be used for.

Cathay said the Hong Kong Police had been notified about the breach and that there was no evidence that any personal information had been misused.

The data breach comes as the airline is undergoing a turnaround designed to cut costs and increase revenue, after back-to-back years of losses, to allow it to better compete against rivals from the Middle East, mainland China and budget airlines.

In August, Cathay Pacific posted a narrower half-year loss on a strong rise in airfares and cargo rates and flagged expectations for a better second half despite economic headwinds from mounting U.S.-China trade tensions.

The hack also comes more than a month after British Airways apologized over the theft of credit card details of hundreds of thousands of its customers over a two-week period in an attack on its website and app.

(Reporting By Anne Marie Roantree and Donny Kwok; editing by Richard Pullin)

-Reuters