Cathay Pacific has finally admitted that the data of 9.4 million of its customers had been hacked seven months ago. The Hong Kong-based airline company said in an announcement on Wednesday night that the data, including passenger’s names, nationalities, dates of birth, phone numbers, addresses, emails, passport numbers, ID card numbers, frequent flyer numbers, customer service remarks and historical information had been accessed without authorization, along with the numbers of 403 expired credit cards and 27 credit cards lacking the full information.

In addition, about 860,000 passport numbers and 245,000 Hong Kong identity card numbers were accessed without authorization. Cathay said the data accessed varied with each passenger and it added that police had been informed.

Chief executive officer Rupert Hogg apologized for the breach, saying there would be a thorough investigation. He also said a leading cybersecurity firm would be working to strengthen the company’s IT systems, Apple Daily reported.

The airline said it had no evidence that any personal information had been misused and that the IT systems affected were separate from flight operation computers. The airline also said no passwords had been compromised.

Hong Kong’s flagship airline admitted that the data breach was detected in March during a regular security check and confirmed the problem in May, but only revealed it to the public on Wednesday.

Paul Loo, the chief customer and commercial officer, defended the delay on a radio program on Thursday, saying the company did not want to cause an unnecessary scares and wanted to find out exactly what happened before informing the public, Radio Television Hong Kong reported.

Loo said customers who had been affected would be informed in the next two days with details of what data had been leaked.

Cathay said anyone who believes they may have been affected can contact them at infosecurity@cathaypacific.com or via a dedicated website, infosecurity.cathaypacific.com.