Some 403 expired credit card numbers and 27 credit card numbers with no card verification value were compromised, along with about 860,000 passport numbers and 240,000 Hong Kong identity card numbers.

The revelation earned the airline a strong rebuke from the privacy commissioner while angry passengers complained about being deliberately kept in the dark.

The report said the carrier had breached the ordinance in relation to personal data security and retention.

Wong slammed Cathay for failing to take all reasonably practicable steps to protect affected passengers’ personal data against unauthorised access.

What victims of Cathay Pacific data leak can do to protect their data

The company’s wrongdoings included a “failure to identify the commonly known exploitable vulnerability and the exploitation, and failure to take reasonably practicable steps to accord due deployment of the internet facing server”, the report said.

“Cathay did not take all reasonably practicable steps to ensure that the Hong Kong identity card numbers of the affected passengers were not kept longer than was necessary for the fulfilment of the defunct verification purpose for which the data was used.”

The office directed the airline to take six remedial measures, including engaging an independent data security expert to overhaul the systems containing personal data and completely obliterating all unnecessary identity card numbers collected from the Asia Miles membership programme from all systems.

Failure to comply with the enforcement notice would risk two years’ imprisonment.

However, the airline did not breach the law by not notifying the passengers immediately on the leak, as the action was not required.

An airline spokeswoman apologised for the incident again on Thursday, saying Cathay had taken decisive measures to further enhance IT security in the areas of data governance, network security, access control, education and awareness of staff, and incident response agility.

Law firm offers group legal action overseas against Cathay data leak

It believed these measures would help prevent further unauthorised access to its systems.

The spokeswoman added that the company was “aware that in today’s world, as the sophistication of cyber attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems”.

Its own investigation found there was no evidence of any personal data being misused to date, and its identification monitoring services would continue to be available to affected passengers.

The Constitutional and Mainland Affairs Bureau said it noted the report, adding the government would work closely with stakeholders, including the Legislative Council, to develop a possible data breach notification mechanism.

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said the fact that no penalty could be imposed on the airline at this stage under existing legislation was another manifestation of how the city’s laws relating to the technology sector had fallen behind development.

Based on the watchdog’s findings, Fong said the leak might have been related to remote sites and remote-access users to the server, and effective multifactor authentication was necessary, as the report had pointed out.

He urged the authorities to use as a reference the European Union’s new General Data Protection Regulation to amend the laws and impose sanctions with a greater deterrence.