ICO Fines Cathay Pacific £500K
March 4, 2020
Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways
Limited £500,000 for failing to protect the security of its customers’
Between October 2014 and May 2018 Cathay Pacific’s computer systems
lacked appropriate security measures which led to customers’ personal
details being exposed, 111,578 of whom were from the UK, and
approximately 9.4 million more worldwide.
The airline’s failure to secure its systems resulted in the unauthorised
access to their passengers’ personal details including: names, passport
and identity details, dates of birth, postal and email addresses, phone
numbers and historical travel information.
Cathay Pacific became aware of suspicious activity in March 2018 when
its database was subjected to a brute force attack, where numerous
passwords or phrases are submitted with the hope of eventually guessing
correctly. The incident led Cathay Pacific to employ a cybersecurity
firm, and they subsequently reported the incident to the ICO.
The ICO found Cathay Pacific’s systems were entered via a server
connected to the internet and malware was installed to harvest data. A
catalogue of errors were found during the ICO’s investigation including:
back-up files that were not password protected; unpatched
internet-facing servers; use of operating systems that were no longer
supported by the developer and inadequate anti-virus protection.
Steve Eckersley, ICO Director of Investigations, said: “People rightly
expect when they provide their personal details to a company, that those
details will be kept secure to ensure they are protected from any
potential harm or fraud. That simply was not the case here.
“This breach was particularly concerning given the number of basic
security inadequacies across Cathay Pacific’s system, which gave easy
access to the hackers. The multiple serious deficiencies we found fell
well below the standard expected. At its most basic, the airline failed
to satisfy four out of five of the National Cyber Security Centre’s
basic Cyber Essentials guidance.
data protection law organisations must have appropriate security
measures and robust procedures in place to ensure that any attempt to
infiltrate computer systems is made as difficult as possible.”
Strengthened UK and European data protection laws came into force in
2018, however due to the timing of these incidents the ICO investigated
this case under the Data Protection Act 1998. The ICO found
the breach to be a serious contravention of Principle 7 of the Data
Protection Act 1998, which states that appropriate technical and
organisational measures must be taken against unauthorised or unlawful
processing of personal data.
In addition to acting promptly in seeking expert assistance from a
leading cyber security firm, Cathay Pacific also issued appropriate
information to affected individuals and co-operated with the ICO’s