Hong Kong’s flagship airline Cathay Pacific Airways on Wednesday said that data of about 9.4 million passengers of the carrier and its unit Hong Kong Dragon Airlines Ltd was accessed in a breach. The leak was first discovered in March, and uauthorised access to the data was confirmed in May.

The airline said hackers accessed 8,60,000 passport numbers, about 2,45,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value, Reuters reported.

“We are very sorry for any concern this data security event may cause our passengers,” Cathay Pacific Chief Executive Officer Rupert Hogg said. “We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.”

Hogg claimed that no passwords had been compromised. He said the airline had been contacting passengers to provide them advice on how to protect themselves.

The airline also said that the affected information systems were separate from flight operations systems, and therefore flight safety was not a concern. “The company has no evidence that any personal information has been misused,” the statement added according to the South China Morning Post.

Information technology advocate Charles Mok, who is a member of the Hong Kong Legislative Council, wondered why the leak was disclosed after several months had passed. “They also didn’t immediately alert the affected passengers or local and foreign privacy watchdogs, which is unacceptable,” he added.

On September 6, British Airways had announced that the personal and financial details of customers who booked or changed their tickets on the airlines’ website between August 21 and September 5 were stolen in a data breach. Around 3,80,000 card payments were compromised.