YakobchukOlena - stock.adobe.com

Cathay Pacific hit with £500,000 data protection fine from ICO over 2018 breach

Airline receives maximum financial penalty under Data Protection Act for data breach that led to nine million customers having their personal data accessed by hackers

Cathay Pacific Airways has been fined £500,000 by the Information Commissioner’s Office (ICO) for failing to secure the personal details of 9.4 million customers.

Persistent shortcomings in the security of the international airline’s computer systems between October 2014 and May 2018 led to the personal details of its customer being accessed by hackers, prompting an investigation by the ICO.

That work led to the discovery of an entry point into Cathay Pacific’s IT systems, made possible by an internet-connected server, that had enabled data-harvesting malware to be installed.

The ICO investigation also uncovered non-password-protected backup files stored in the firm’s IT setup, unpatched internet-facing servers, unsupported operating systems and inadequate anti-virus protection measures.

Against this backdrop, the hackers were able to access the names, passport details, contact information and historic travel information of Cathay Pacific customers, a situation the airline is known to have become aware of in March 2018.

This was on the back of the firm detecting a brute-force attack being carried out on the database. The company hired a cyber security firm to investigate the attack, and it was that firm that reported the incident to the ICO.

Steve Eckersley, director of investigations at the ICO, said the breach Cathay Pacific suffered was particularly worrying given the number of “basic security inadequacies” within its systems that had paved the way for it.

“The multiple serious deficiencies we found fell well below the standard expected,” he said. “At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.

“Under data protection law, organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”

Read more about data breaches

The fine is the highest penalty the ICO can issue under the Data Protection Act 1998, with the watchdog describing the incident as a “serious contravention” of the legislation.

Tony Pepper, CEO of IT security software supplier Egress, said the timing of the incident may have worked in Cathay’s favour because it meant the incident could not be considered a breach of the General Data Protection Regulation (GDPR).

“Had this been under GDPR, Cathay Pacific could have been hit with a mammoth £470m fine – 4% of its annual global turnover – dwarfing the fines handed out to BA (£183m) and Marriott (£99.2m),” he said.

“This acts as yet another wake-up call to organisations that are not taking data protection seriously. GDPR demands compliance from businesses of all sizes and they need to take all necessary steps to protect data.”

Read more on Security policy and user awareness

Data Center
Data Management