Cathay Pacific said the combination of data accessed varied for each passenger.
Cathay Pacific said it's working with Hong Kong police on the investigation, as well as a cybersecurity firm.
Unauthorised access was made to a database containing passengers' name, nationality, date of birth, phone number, email, address, passport number, identity card number, frequent flyer programme membership number, customer service remarks, and historical travel information.
Also stolen in the breach were 403 expired credit card numbers and 27 active credit card numbers, the airliner said. The information system security measures were then strengthened.
"We are very sorry for any concern this data security event may cause our passengers, " Cathay chief executive Rupert Hogg said in a statement.
The airline said up to about 9 million customers were believed to have been affected.
Actores de "Élite" son pareja en la vida real
María Pedraza y Jaime Lorente en el estreno de 'Animales sin collar'. Al parecer, Jaime y María trasladaron ese romance a la vida real.
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, urged the carrier to notify affected clients as soon as possible, pointing out the breach was discovered seven months ago. "The IT systems affected are totally separate from its flight operations systems, and there is no impact on flight safety".
IT sector lawmaker Charles Mok described the leak as a serious breach of personal data, noting that the airlines' customers came from all over the world.
"If you have been contacted directly, we recommend you contact your bank or credit card company to seek their advice", Cathay added.
Mok noted that the European Union's new General Data Protection Regulation requires such breaches to be reported within 72 hours. It planned to contact the company and launch a compliance check.
Hogg did not mention financial compensation for passengers affected by the data leak, but British Airways pledged to compensate customers when the United Kingdom flag carrier suffered a data hack last month.
The personal and financial details of customers making bookings on its website and app were compromised, it said.