Cathay Pacific Airways Ltd has been fined £500,000 by the Information Commissioner’s Office (ICO) for failing to protect the security of its customers’ personal data, including over 100,000 UK-based individuals
The data protection watchdog said that between October 2014 and May 2018 the airline’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed, 111,578 of whom were from the UK, and approximately 9.4m more worldwide.
The airline’s failure to secure its systems resulted in the unauthorised access to their passengers’ personal details including names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.
Cathay Pacific became aware of suspicious activity in March 2018 when its database was subjected to a brute force attack, where numerous passwords or phrases are submitted with the hope of eventually guessing correctly.
The incident led the company to employ a cybersecurity firm, and it subsequently reported the incident to the ICO.
The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data.
A catalogue of errors was found during the ICO’s investigation including back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.
In addition, database backups were not encrypted, the administrator console was publicly accessible via the internet, accounts were given inappropriate privileges, penetration testing was inadequate, and the company failed to adhere to many of its own cyber security policies.
Steve Eckersley, ICO director of investigations, said: ‘This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers.
‘The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.
‘Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.’
The £500,000 fine was the maximum available under the Data Protection Act 1998, which applied in this case due to the timing of these incidents.
‘The ICO acknowledged that in addition to acting promptly in seeking expert assistance from a leading cyber security firm, Cathay Pacific also issued appropriate information to affected individuals and co-operated with its investigation.
The General Data Protection Regulation (GDPR) regime, which came into effect from 25 May 2018, allows for much larger fines.
