ICO fines Cathay Pacific £500,000 for 2018 data breach

Hong Kong airline hit with maximum fine under the Data Protection Act 2018 for "basic" security failures

The Information Commissioner's Office (ICO) has fined Hong Kong airline Cathay Pacific £500,000 for failing to protect the data of approximately 9.4 million people in 2018.  

From October 2014 to May 2018, the airline's computer systems lack basic security measures, according to the ICO, which led to customer's personal data being exposed.

Advertisement - Article continues below

An ICO investigation found that Cathay Pacific had failed to secure its computer systems and allowed unauthorised access to personal details such as names, passport and identity data, dates of birth, postal and email addresses, phone numbers and also historic travel records. 

Of the 9.4 million customers who had their data exposed, 111,578 were from the UK, but due to the timing of the breach, the company has received a maximum monetary fine under the Data Protection Act 2018, rather than the GDPR

"This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific's system, which gave easy access to the hackers," said Steve Eckersley, ICO director of investigations.

"The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre's basic Cyber Essentials guidance."

The airline hired a cyber security firm after noticing suspicious activity in March 2018. The incident was then reported to the ICO by the company Cathay had hired. In its investigation, the ICO found that its systems were entered via a server connected to the internet where malware was installed to harvest data. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

An investigation quickly followed and the data watchdog said it found a "catalogue" of errors, such as back-up files without passwords, unpatched internet-facing servers, unsupported operating systems and inadequate antivirus software. 

Responding to the ICO's notice, Cathay Pacific told IT Pro that it had already taken measures to enhance its IT security in areas such as data governance, network security and access control, education and employee awareness, and incident response agility.  

"Substantial amounts have been spent on IT infrastructure and security over the past three years and investment in these areas will continue," the airline said. "We have co-operated closely with the ICO and other relevant authorities in their investigations."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Most Popular

Visit/security/ransomware/355891/nasa-it-contractor-ransomware-hack
ransomware

Ransomware collective claims to have hacked NASA IT contractor

3 Jun 2020
Visit/data-insights/data-science/355678/how-data-science-is-transforming-business
Sponsored

How data science is transforming business

29 May 2020
Visit/mobile/5g/355911/the-uk-pivots-to-japan-for-5g-equipment
5G

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020