Airline fined £500,000 for mass data breach of customers’ personal data

The Information Commissioner's Office (ICO), UK, has imposed a penalty of £500,000 on Cathay Pacific Airways for failing to secure personal data of its customers.

“Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked proper security measures which led to customers’ personal details being exposed, 111,578 of whom were from the UK, and about 9.4 million more worldwide,” said the ICO announcement.


The airline's failure to secure its systems resulted in the unauthorised access to their passengers' personal details including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information", the ICO said, issuing the fine.

The regulator listed a litany of errors on the Hong-Kong flag carrier’s side, including back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.

A minimum of one attack used a server that harboured a known vulnerability but was not patched for more than 10 years despite the knowledge of its existence. Hong Kong’s Privacy Commissioner last year found the airline guilty of a low regard for data privacy and delay in disclosing the 2018 breach.

"This breach was particularly about given some basic security inadequacies across Cathay Pacific's system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected," he added.

“At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”

As per the report failures, the ICO has issued a Cathay Pacific with a fine of £500,000 – the greatest figure possible under the Data Protection Act 1998. Companies who find themselves in the same situation today could face a fine of up to four percent of annual global turnover or €20 million (£17 million), whatever is higher, which is more likely to put a serious financial strain on any organisation.”

"The company would once again like to express its regret, and to sincerely apologise for this incident," said a statement from Cathay Pacific.

The company statement claims that "substantial amounts" of money had been spent on improving security in the past three years.

"However, we are aware that in today's world, as the sophistication of cyber-attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems," it added.