Cathay Pacific has been hit with a £500,000 fine for failing to protect the security of its customers’ personal data.
The penalty was imposed by the Information Commissioner’s Office (ICO) after the personal details of more than 9.5 million customers were exposed, including 111,578 from the UK, over almost four years from October 2014.
The airline’s failure to secure its systems resulted in the unauthorised access to their passengers’ personal details including names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.
The Hong Kong-based carrier became aware of suspicious activity in March 2018 when its database was subjected to a ‘brute force’ attack, where numerous passwords or phrases are submitted with the hope of eventually guessing correctly.
The incident led the airline to employ a cybersecurity firm and subsequently report the breach to the ICO.
Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data, the ICO found.
A catalogue of errors were found during the ICO’s investigation including:
- back-up files that were not password protected;
- unpatched internet-facing servers;
- use of operating systems that were no longer supported by the developer, and
- inadequate anti-virus protection.
ICO investigations director Steve Eckersley said: “People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers.
“The multiple serious deficiencies we found fell well below the standard expected.
“At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic cyber essentials guidance.
“Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”
Strengthened UK and European data protection laws came into force in 2018, however due to the timing of these incidents the ICO investigated this case under the Data Protection Act 1998.
The ICO found the breach to be a “serious contravention” of Principle 7 of the Data Protection Act 1998, which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.
Cathay Pacific issued appropriate information to affected individuals and co-operated with the ICO’s investigation in addition to acting promptly in seeking expert assistance from a leading cyber security firm.
Cathay Pacific said in a statement: “The company would once again like to express its regret, and to sincerely apologise for this incident.
“The company has already taken measures to enhance its IT security in the areas of data governance, network security and access control, education and employee awareness, and incident response agility. Substantial amounts have been spent on IT infrastructure and security over the past three years and investment in these areas will continue.
“We have co-operated closely with the ICO and other relevant authorities in their investigations. Our investigation reveals that there is no evidence of any personal data being misused to date.
“However, we are aware that in today’s world, as the sophistication of cyber attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems.
“We will continue to co-operate with relevant authorities to demonstrate our compliance and our ongoing commitment to protecting personal data.”