£500k Data Breach Fine for Cathay Pacific in the UK

The Information Commissioner’s Officer (ICO)  in the United Kingdom has given approval for a £500,000 data breach penalty against airline Cathay Pacific to be sanctioned following security lapses which impacted the private information of 111,578 UK citizens and up to 9.4 million customers worldwide.

This is the highest possible penalty applicable, under UK law when the breach took place as it occurred prior to the May 25 2018 introduction of the General Data Protection Regulation by the European Union. It is had taken place after this date then the fine could have been up to €20m or 4% of annual global revenue.

The airline said that it first noticed the breach during March of 2018 but failed to address the situation for almost six months. ICO said that this failure lead to illegal access to passengers’ personal details, including names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel details. It has also been revealed that the breaches have been taking place as far back as 2014.

The ICO  statement read: “(The ICO found) Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data”/ It went on to say that “a catalogue of errors” were identified during the investigation, including back-up files that were not password protected; unpatched Internet-facing servers; use of operating systems that were no longer supported by the developer; and inadequate antivirus security.

Steve Eckersley, the ICO’s director of investigations, said: “People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here. This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”

He went on to say: “Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.

Reacting to the breach and fine, Cathay Pacific released a statement to say that it has since taken steps to improve”in the areas of data governance, network security and access control, education and employee awareness, and incident response agility. Substantial amounts have been spent on IT infrastructure and security over the past three years and investment in these areas will continue. We have co-operated closely with the ICO and other relevant authorities in their investigations. Our investigation reveals that there is no evidence of any personal data being misused to date.

“However, we are aware that in today’s world, as the sophistication of cyber attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems. We will continue to co-operate with relevant authorities to demonstrate our compliance and our ongoing commitment to protecting personal data.”

The ICO in the UK have been very focused on in sanctioning fines under the old legislation and the new GDPR EU legislation.