LONDON – The UK Information Commissioner’s Office (ICO) announced a fine of £500,000 ($636,000) for the international airline Cathay Pacific on Wednesday. It was for a data breach that occurred between October 2014 and May 2018, affecting 9.4 million users.

Cathay Pacific plane taking off

Cathay Pacific Given Maximum Pre-GDPR Fine

The ICO concluded that Cathay Pacific’s systems were breached due to “negligence,” with malware used to harvest a variety of personal data. This included: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information. The investigation found a number of huge errors had been made, including not protecting back-up files with passwords, leaving internet-facing servers unpatched, continuing to use operating systems that were no longer being supported by the developer, and not having sufficient anti-virus protection in place.

Steve Eckersley, ICO Director of Investigations, said:

This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.

Despite this, the ICO accepted that Cathay Pacific “acted promptly and forthrightly” after becoming aware of a brute force attack in March 2018. It hired a cybersecurity firm and informed the ICO. Furthermore, the airline “went above and beyond its legal duties” in informing victims and co-operating with the investigation.

As the incident occurred before the introduction of GDPR, the ICO investigated it under older legislation. The £500,000 fine was as big as it could issue under those laws.

Subscribe
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
wab95

Charlotte: Sadly, yours truly is likely amongst those Cathay clients whose data was stolen. This illustrates, yet again, that despite the best practices one might follow in security regimens in one’s own life, an individual can nonetheless suffer multiple incidences, none by their own making, to have their vital data stolen by actors whose intentions, while unknown, cannot be good. This is beyond unacceptable; it is non-sustainable. The data that professional thieves, state sponsored or private, are stealing can be used to leverage access to even more data and assets, or be weaponised to inflict real harm (eg using vital… Read more »