The Information Commissioner’s Officer (ICO) has fined
Cathay Pacific £500,000 for a data breach that was revealed in 2018 and
affected around 9.4 million customers worldwide.
The ICO said its investigation found that from October 2014
to May 2018, the airline group’s computer systems “lacked appropriate security
measures”, which led to customers’ personal details being exposed, 111,578 of
whom were from the UK.
Data compromised by the breach included names, passport and
identity details, dates of birth, postal and email addresses, phone numbers and
historic travel information.
Cathay Pacific became aware of the flaw in March 2018 when
its database was subjected to “a brute force attack”, according to the ICO,
where hackers submitted numerous passwords and phrases in the hopes of being
successful. The incident led the airline to hire a cybersecurity firm and it
eventually informed the ICO of the incident.
The ICO’s investigation found the carrier’s systems were
entered via a server connected to the internet and malware was installed to
harvest data. It also found a “catalogue of errors” on the part of the airline,
including back-up files that were not password protected, unpatched
internet-facing servers, use of operating systems that were no longer supported
by the developer and inadequate anti-virus protection.
Steve Eckersley, ICO director of investigations, said: “People
rightly expect when they provide their personal details to a company that those
details will be kept secure to ensure they are protected from any potential
harm or fraud. That simply was not the case here.
“This breach was particularly concerning given the number of
basic security inadequacies across Cathay Pacific’s system, which gave easy
access to the hackers. The multiple serious deficiencies we found fell well
below the standard expected. At its most basic, the airline failed to satisfy
four out of five of the National Cyber Security Centre’s basic Cyber Essentials
guidance.
“Under data protection law, organisations must have
appropriate security measures and robust procedures in place to ensure that any
attempt to infiltrate computer systems is made as difficult as possible.”
The ICO added that due to the timing of the breach, the £500,000
fine was based on previous legislation. If the case had been considered under
the General Data Protection Regulation (GDPR), which came into effect later,
the maximum penalty could have been £17 million or 4 per cent of Cathay Pacific’s
global sales.
Other major travel companies hit with massive fines from the
ICO include Marriott, which was charged £99 million for a data breach involving
more than 300 million guest records, and British Airways, which faced a £183.39
million penalty for a 2018 incident.
The fine will be a blow to Cathay Pacific, which has faced
economic uncertainty in recent months owing to political protests in Hong Kong
and the outbreak of the new coronavirus.