Cathay Pacific airline reported a data breach today that affected 9.4 million customers exposing a large range of personally identifiable information and a limited amount of credit card data.

Airline officials said in a statement that the breach was revealed during a security review when unauthorized access was discovered in the system containing passenger data. The company said it does not believe the compromised information has been misused and that this computer network is not connected to flight operations.

Several industry experts also believe Cathay Pacific may face significant repercussions from EU GDPR regulators as it took longer than is required to report the incident.

“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves.  We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised,” Cathay Pacific Chief Executive Officer Rupert Hogg said in a statement.

The data contained in the exposed system included passengers names, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer program membership number, customer service remarks, and historical travel information. Additionally, 430 credit cards were accesses, of these 403 were expired and 27 active, but no CVV numbers for the latter were exposed.

Webroot senior security analyst Randy Abrams noted the airline could be in some trouble with the European Union as under GDPR companies doing business in the EU must report any data breaches within 72 hours.

“In addition to the reputation cost, Cathay Pacific may face costly GDPR repercussions due to the amount of time that passed between the discovery of the breach and reporting it to the public,” he told SC Media.

Steve Malone, Mimecast’s director of security product management agreed that the timing and GDPR repercussions are likely for Cathay Pacific.

“The Cathay Pacific breach is very concerning in terms of its scale and length of time taken to alert affected customers. It’s likely that EU citizens were included in a breach of this size and GDPR questions will be asked,” he told SC Media.

The very fact that the company faces damages imposed due to its delayed announcement may be one reason it did not rush out and report the incident to EU authorities and this type of behavior will likely be seen again, said Etienne Greeff, CTO and co-founder of SecureData.

” As we saw with Google + earlier this month, this is a classic example of the unintended consequences of regulation. By forcing companies to comply with tough new processes and rules, businesses are forcibly going to hide breaches and hacks purely out of fear of being caught out by hefty fines and significant reputational damage,” Greef said.

Cathay Pacific joins British Airways and Air Canada which were also breached this year.