Cathay Pacific hit with £500,000 fine for customer data breach

Information Commissioner's Office said breach was 'particularly concerning' and went undetected between 2014 and 2018.
Written by Danny Palmer, Senior Writer

International airline Cathay Pacific has been issued with a £500,000 fine for failing to secure the personal data of its customers.

The Information Commissioner's Office (ICO) said that, between October 2014 and May 2018, Cathay Pacific's computer systems lacked appropriate security measures that led to customers' personal details being exposed, 111,578 of whom were from the UK, and around 9.4 million more worldwide. The airline's failure to secure its systems resulted in unauthorised access to their passengers' personal details, including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers, and historical travel information, the ICO said, issuing the fine.

An investigation by the data protection authority found 'a catalogue of errors' in how the airline handled cybersecurity that resulted in the breach – which had been ongoing since at least October 2014 – not being uncovered and disclosed until May 2018.

The ICO said the attack was able to take place because backups were not password-protected or encrypted, internet-facing servers were left unpatched despite a known vulnerability, there was use of an unsupported operating system, and inadequate anti-virus protection.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

A lack of a software-patching management strategy and users being able to remotely access systems without any sort of multi-factor authentication have also been criticised.

Cathay Pacific only became aware of suspicious activity in March 2018 – three and a half years after the initial breach – and after the database became the victim of a brute-force attack as hackers tried to access additional areas by attempting to guess passwords.

Following this, a cybersecurity company was brought in to investigate the attack and the incident was referred to the ICO.

"People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here," said Steve Eckersley, ICO director of investigations.

"This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific's system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected," he added.

As a result of the failures, the ICO has issued a Cathay Pacific with a fine of £500,000 – the maximum figure possible under the Data Protection Act 1998.

SEE: IT pro's guide to GDPR compliance (free PDF)

"The company would once again like to express its regret, and to sincerely apologise for this incident," said a statement from Cathay Pacific.

"Substantial amounts have been spent on IT infrastructure and security over the past three years and investment in these areas will continue," the airline added.

The Cathay Pacific data breach occurred before GDPR came into force in May 2018, which introduced significantly higher financial penalties for security breaches.


Editorial standards