Cathay Pacific wings clipped with £500,000 data fine

Further evidence has emerged that data protection rulings are like London buses – you wait ages for one then two come along at once – with Cathay Pacific Airways becoming the second firm in a week to be hit with a maximum £500,000 fine for breaking the law.

According to an Information Commissioner’s Office investigation, between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed, 111,578 of whom were from the UK, and approximately 9.4 million more worldwide.

However, it was not until October 2018 that the airline decided to inform affected customers.

The airline’s failure to secure its systems resulted in the unauthorised access to their passengers’ personal details including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.

Cathay Pacific only became aware of suspicious activity in March 2018 – over three-and-a-half years after the vulnerability was created – when its database was subjected to a brute force attack, where numerous passwords or phrases are submitted with the hope of eventually guessing correctly. The incident led Cathay Pacific to employ a cybersecurity firm, and it subsequently reported the incident to the ICO.

The ICO found Cathay Pacific’s systems were entered via a server connected to the Internet and malware was installed to harvest data. A catalogue of errors was found during the ICO’s investigation including: back-up files that were not password protected; unpatched Internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.

Because the incident occurred before GDPR came into force, this case fell under the Data Protection Act 1998, meaning the regulator could only impose a maximum fine of £500,000.

ICO director of investigations Steve Eckersley said: “People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.

“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.

“Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”

Cathay Pacific has not yet indicated whether it will appeal against the penalty.