Cathay Pacific Airways has announced that it had a suffered a security incident in which cybercriminals accessed the personal data of 9.4 million passengers of Cathay and its unit Hong Kong Dragon Airlines Limited.

The breach exposed a feature-rich set of private details, including passenger names, nationalities, dates of birth, phone numbers, and email addresses. The company’s statement for the Hong Kong stock exchange shows that the breach compromised 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers, and 27 credit card numbers with no card verification value (CVV).

Also accessed were frequent flyer program membership numbers, historical travel information and customer service remarks. Meanwhile, no passwords are believed to have been accessed.

“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves,” the airline’s Chief Executive Officer Rupert Hogg said.

There’s no word on how the attackers broke into Cathay’s systems. However, the airline said that the breach had initially been discovered back in March and confirmed in May of 2018.

“Upon discovery, the company took immediate action to investigate and contain the event.  The company has no evidence that any personal information has been misused,” according to Cathay’s statement.

As to why it took several months to notify the public of the incident, Cathay Pacific had this to say in a statement relayed by Computer Weekly: “We believe it is important to have accurate information to share, so that people know the facts and we can support them accordingly.”

This is the third breach to hit the aviation industry in approximately two months. In late August, a breach in Air Canada’s mobile app exposed the data of 20,000 travelers. A week later, British Airways disclosed the theft of customer data that compromised around 380,000 payment cards.