Cathay Pacific Ordered to Pay £500,000 Fine Following Customer Data Exposure

The UK’s Information Commissioner’s Office, or ICO, has imposed a fine of £500,000 ($603,750) on Cathay Pacific Airways for its failure to adequately protect the personal data of customers. The half-million pounds fine is in fact the maximum possible under the UK’s Data Protection Act of 1998.  The ICO has clarified that Cathay Pacific is being sanctioned under the said Act, rather than the more recent General Data Protection Regulation, because of “the timing of the incidents in this investigation”.

The ICO, which describes itself as the UK’s independent body for the upholding of information rights, found that the airline’s computer systems had exposed information relating to 111,578 people in the UK alone. Outside of the UK, the personal data of a further 9.4 million people throughout numerous countries was exposed. The personal information compromised includes names, passport information, birth dates, telephone numbers, addresses and details relating to travel history.

The ICO investigation found that “Appropriate security” had not been in place for a duration of 3 years and 7 months, from October 2014 to May 2018.

In its Monetary Penalty Notice dated the 10th of February 2020, the ICO ruled that Cathay Pacific had first become aware that a problem existed in March of 2018, following what is referred to as a “brute force” password-guessing attack.

The airline, which is based in Hong Kong, self-reported the breach to the ICO on the 25th of October 2018. The watchdog confirmed that it had uncovered what it described as “a catalogue of errors” when carrying out its required investigation, which it detailed as follows:

-Database backups were not encrypted
-The internet-facing server was accessible due to a known and publicised vulnerability
-The administrator console was publicly accessible via the internet
-System A has hosted on an operating system that was no longer supported
-Cathay Pacific could not provide evidence of adequate server hardening
-Network users were permitted to authenticate past the VPN without multi-factor authentication
-The anti-virus protection was inadequate
-Patch management was inadequate
-Forensic evidence was no longer available during the commissioner’s investigation
-Accounts were given inappropriate privileges
-Penetration testing was inadequate
-Retention periods were too long

It is known that, at a minimum, one of the attacks concerned a server with a recognised vulnerability. Nonetheless, Cathay Pacific had neglected to apply the patch even though the vulnerability had been public knowledge for more than a decade. Director of investigations at the ICO, Steve Eckersley, stated that there had been numerous security inadequacies of a “basic” nature in the airline’s system, which ultimately had allowed hackers to access the system with relative ease.

Mr Eckersley went on to state that Cathay Pacific had fallen short on four of the National Cyber Security Centre’s five fundamental cyber-essentials.

The significance of Cathay Pacific being punished under the Data Protection Act 1998 rather than the GDPR is illustrated by comparing the case to recent ICO investigations.

In July 2019, it was announced that British Airways would face a fine of £183,000,000 following a breach of its systems. In the same month, the ICO confirmed that a fine of £99,200,000 would be imposed on the Marriott hotel group. Subsequently, both fines were delayed until 2020. Under the newer GDPR rules, introduced in May 2018, the maximum fine has been raised significantly. It’s evident that had Cathay Pacific’s failings occurred only a few months later, it would have been facing a much more significant punishment. Rather than the £500,000 penalty, the airline could have been fined a whopping £470,000,000 ($575,000,000).

Cathay Pacific’s breach was mitigated by the fact that it reacted immediately as soon as it became aware, consulted renowned cyber-security experts to rectify the problems, and moved to inform the customers who had been affected.

The ICO report also acknowledged that no cases of the exposed personal data being misused had been confirmed. Nonetheless, it was stated that such misuse was quite probable at some point in the future.

Since the announcement Cathay Pacific has reiterated its apologies to customers. It also assured customers that “substantial amounts” of money had been invested in reinforcing security over the last three years and that security was being viewed as an on-going concern that would be the subject of continuing investment and evolution.

About Eoin Campbell 21 Articles
Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified solicitor. Eoin has moved from practicing law to teaching. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data protection.