The Information Commissioner’s Officer (ICO) in the United Kingdom has sanctioned a £500,000 data breach penalty against airline Cathay Pacific in relation to security lapses which exposed of 111,578 UK citizens and up to 9.4 million customers worldwide.
This represents the maximum penalty under UK law at the time that the breach occurred. Indeed the airline can count itself particularly luck as, if the breach had taken place after the May 25 2018 introduction of the General Data Protection Regulation by the European Union, then the fine could have been as high as €20m or 4% of annual global revenue.
The airline claimed that if first discovered the breach during March of 2018 but failed to address the situation for almost six months. ICO revealed that this failure lead to unauthorised access to passengers’ personal details, including names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information. It has also been made public that the breaches have been occurring since 2014.
ICO said: “(The ICO found) Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data,” the regulator writes in a press release, adding that it found “a catalogue of errors” during the investigation, including back-up files that were not password protected; unpatched Internet-facing servers; use of operating systems that were no longer supported by the developer; and inadequate antivirus protection.
Commenting on Cathay Pacific’s penalty in a statement, Steve Eckersley, the ICO’s director of investigations, said: “People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here. This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”
He added: “Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.
Responding to revelation Cathay Pacific released a statement to say that it has since taken steps to enhances “in the areas of data governance, network security and access control, education and employee awareness, and incident response agility. Substantial amounts have been spent on IT infrastructure and security over the past three years and investment in these areas will continue,” Cathay Pacific said in the statement. We have co-operated closely with the ICO and other relevant authorities in their investigations. Our investigation reveals that there is no evidence of any personal data being misused to date.”
It ended: “However, we are aware that in today’s world, as the sophistication of cyber attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems. We will continue to co-operate with relevant authorities to demonstrate our compliance and our ongoing commitment to protecting personal data.”
The ICO in the UK have been particularly diligent in applying data breach fines under the old legislation and the new GDPR EU legislation. It is envisaged that they will have a UK version of GDPR ready to become active when the Brexit process is compelte.