The Information Commissioner’s Office has fined airline company Cathay Pacific £500,000 for failing to prevent the breach of personal data of 111,578 Brits and around 9.4 million other people worldwide.
In November 2018, Cathay Pacific, one of the world’s largest airlines with a fleet size nearing 150 and operations in over 60 countries, revealed that the massive data breach it suffered earlier that year lasted for months before it was discovered and contained.
The airline company was subjected to a fine of £500,000 as it failed to protect sensitive customer information belonging to millions of travellers. The information exposed by the company over a period of almost four years (October 2014- May 2018) contained name, date of birth, postal and email addresses, phone numbers, passport and identity details of not only 111,578 citizens of the UK but of approximately 9.4 million more worldwide. They also contained 403 expired credit card numbers and 27 credit card numbers without associated CVV numbers.
Cathay Pacific came to know about this situation in March 2018, when they recruited a cyber security firm to investigate the breach and reported the incident to the ICO. Rupert Hogg, chief executive officer of Cathay Pacific, also issued an apology to affected customers.
“We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commenced a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.
“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised. “We want to reassure our passengers that we took and continue to take measures to enhance our IT security. The safety and security of our passengers remains our top priority,” he added.
Hackers installed malware to steal personal data of Cathay Pacific customers
During the course of its investigation, ICO found that the airline’s system was accessed via a server connected to the internet and malware was installed to gather customer data. It also identified errors like unpatched internet-facing servers, back-up files that were not password protected, inadequate anti-virus protection, and the use of operating systems that were no longer supported by the developer.
“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here. This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers,” said Steve Eckersley, Director of Investigations at the ICO.
“The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance. Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible,” He added.
ICO investigated this case under the Data Protection Act 1998, where they found that the company had breached Principle 7 of the Act which states that a company should take appropriate technical and organisational measures to avoid unauthorised or unlawful processing of personal data. So far, this has been the maximum fine applied to any organisation under the Data Protection Act 1998.
£500k fine is a drop in the ocean compared to a fine under GDPR for the same offense
Commenting on the situation, Cesar Cerrudo, CTO at IOActive, told TEISS that the Cathay Pacific breach demonstrated a litany of errors that left millions of customers’ data completely exposed for a number of years – many of which would have continued undiscovered had they not had a third party evaluation of their systems.
“As it took place before GDPR came into effect, the company has gotten off lightly with a £500k fine – which is the maximum penalty under the 1998 Data Protection Act. This sum is a drop in the ocean compared to what it could have been. Companies who find themselves in the same situation today could face a fine of up to 2% of annual global turnover of $20 million, whatever is higher, which is more likely to put a serious financial strain on any organisation.
“Companies can’t afford to stick their heads in the sand and ignore cyber security any longer. It’s absolutely vital to exercise good security hygiene, prioritise data protection and keep cyber resiliency in mind. This means looking at their processes from end-to-end, considering how devices and systems are being used, connected and who is using them, to truly get a strong gauge of their cybersecurity posture.
“Yet it is equally important to take a proactive approach and go out looking for threats, using third parties who can think like a hacker to really test your defences, so you are not caught off-guard. Ultimately, no business can ever be 100% secure; it’s all about understanding the threat surface, reducing your risk, and protecting the crown jewels – i.e. your customer data,” he added.