The UK’s Information Commissioner’s Office (ICO) has placed a fine of £500,000 on Cathay Pacific Airways for its failure to protect customer personal data.
According to the ICO, Cathay Pacific will pay a £500,000 fine after the airline’s computer systems exposed customer data. It said details of 111,578 UK residents and a further 9.4 million people from other countries were left unprotected.
The exposed data included names, passport details, dates of birth, phone numbers, addresses and travel history. The ICO said that between October 2014 and May 2018 there was no “appropriate security” in place.
The ICO mentioned that the airline was able to discover the problem in March 2018 after it suffered a “brute force” password-guessing attack and reported it to the UK regulator.
The Hong Kong-based airline eventually uncovered “a catalog of errors” during a follow-up investigation, including back-up files that were not password protected, internet-facing servers without the latest patches, and operating systems that were no longer supported by the developer.
They also found inadequate antivirus protection.
Steve Eckersley, the ICO’s director of investigations, explained that there were “a number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers”.
Eckersley added that the carrier failed four out of five of the basic cyber-essentials guidance from the National Cyber Security Centre.
The £500,000 fine to be paid by Cathay Pacific is the maximum possible amount under the Data Protection Act 1998, which was used instead of the newer GDPR “due to the timing of the incidents in this investigation”.
According to the ICO, Cathay Pacific addressed the issues promptly once it became aware, and sought expert help from a top cybersecurity firm, and had also contacted affected customers.
In reaction to the fine, the company said it “would once again like to express its regret, and to sincerely apologize for this incident”.