LONDON – The UK Information Commissioner’s Office (ICO) announced a fine of £500,000 ($636,000) for the international airline Cathay Pacific on Wednesday. It was for a data breach that occurred between October 2014 and May 2018, affecting 9.4 million users.
Cathay Pacific Given Maximum Pre-GDPR Fine
The ICO concluded that Cathay Pacific’s systems were breached due to “negligence,” with malware used to harvest a variety of personal data. This included: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information. The investigation found a number of huge errors had been made, including not protecting back-up files with passwords, leaving internet-facing servers unpatched, continuing to use operating systems that were no longer being supported by the developer, and not having sufficient anti-virus protection in place.
Steve Eckersley, ICO Director of Investigations, said:
This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.
Despite this, the ICO accepted that Cathay Pacific “acted promptly and forthrightly” after becoming aware of a brute force attack in March 2018. It hired a cybersecurity firm and informed the ICO. Furthermore, the airline “went above and beyond its legal duties” in informing victims and co-operating with the investigation.
As the incident occurred before the introduction of GDPR, the ICO investigated it under older legislation. The £500,000 fine was as big as it could issue under those laws.