From public safety point of view, if a enterprise firm found 9.4 million personal records steal by hacker. Since the firm postpone the announcement schedule. From technical point of view. the law enforcement must require to interview with the firm top management to understand the root cause.
Regarding to my observation, the cyber security incident roadmap in airline industry looks special. Nippon found TLS could allow attacker man-in-the-middle attack on Jun. Thereafter British Airways announce that total 380,000 customers’ bank details stolen by hacker. However both 2 items of cyber security incident announce to public in acceptable manner.
From technical point of view, it was not possible leak such big amount of data from TLS vulnerability and mobile apps programming bug. It shown that such vulnerability most likely given by SQL injection attack. This is so called SQL injection vulnerabilities dumping the DB.
For more details of above cyber security incident records, please refer below url for reference.
Cathay Pacific hack – https://www.scmp.com/news/hong-kong/law-and-crime/article/2170107/hong-kong-privacy-chief-slams-cathay-pacific-taking
British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)
British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)
25th Oct 2018 – BA status update
http://mediacentre.britishairways.com/pressrelease/details/86/2018-247/10234
Jun 2018 – ALL NIPPON Airways Security Advisories