The airline also revealed it had spent HK$1 billion (US$128 million) over three years on IT infrastructure and security, but it was not enough to stop what it called “sophisticated attackers” repeatedly targeting and breaching its system.

Cathay’s investment in its IT system included spending on two large data servers and cloud computing, and came during a period when it generated HK$292 billion (US$37 billion) in revenue.

On October 24, the airline revealed it had suffered a major data breach seven months earlier, and said it had taken steps to investigate whether customer data had been compromised.

It took until mid-August for investigators to discover what hackers had been able to steal, and how it had affected customers.

“Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter,” the airline said in its statement. “These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention.”

Cathay’s revelations contradict statements it made earlier about what it knew about the cyberattack, and when.

Hong Kong government weighs in on Cathay Pacific data breach

Questioned on a radio show a day after revealing the hack, Paul Loo Kar-pui, the airline’s chief customer and commercial officer, said the company was not able to confirm if its IT system had been breached until early May.

At the time, he did not mention the fact the firm had been subjected to attacks for more than three months.

The hack has prompted a formal investigation by the Hong Kong privacy watchdog, while a police investigation is ongoing.

“The investigation was complex, longer than what we would have wished, and we would have liked to have been able to provide this information sooner,” the airline said.

Cathay, one of Asia’s largest international carriers, has been roundly criticised for not telling customers about the hack immediately. On Monday it repeated expressions of “great regret” and “sincere apologies” to the affected passengers, and hoped to “continue to earn their confidence and trust”.

Worried after Cathay’s data breach? Here’s all you need to know

“Throughout our investigation into this incident, our foremost objective and primary motivation has been to support our affected passengers by providing accurate and meaningful information,” the statement said.

Lawmaker Charles Mok, representing the IT sector, said the company had missed three opportunities over the course of seven months to go public.

“March, May, August they missed all these opportunities to report it,” said Mok, who was unequivocally critical of the airline’s briefing note given to the Legislative Council.

“I think the answers are very vague… they didn’t elaborate.”

Information accessed by the hackers included passengers’ names, nationalities, dates of birth, telephone numbers, email and home addresses, frequent flier programme membership numbers, passport numbers, Hong Kong ID card numbers and expired credit card numbers.

Of the 9.4 million people affected, customers included members of the Asia Miles loyalty programme, the Marco Polo Club frequent flier scheme, as well as non-member passengers.

Cathay CEO Rupert Hogg, chairman John Slosar and Loo, who is responsible for the airline’s IT division and chairman of Asia Miles, are expected to attend the committee hearing on Wednesday.

Additional reporting by Karen Zhang, Alvin Lum and Simone McCarthy