The breach involved private user information, including phone numbers, dates of birth, frequent flier membership numbers and passport and government ID numbers, as well as information on passengers’ past travels. The airline said that 27 credit card numbers — but not their corresponding security codes — had been obtained, as had 403 expired credit card numbers.