The Information Commissioner’s Office (ICO) fined Cathay Pacific Airways £500,000 for failing to protect customers’ personal data.
The ICO said the airline had exposed personal details of 111,578 UK residents plus a further 9.4 million people from other countries.
The compromised data includes customers’ names, passport details, dates of birth, phone numbers, addresses and travel history.
“Appropriate security” was not in place between October 2014 and May 2018.
The ICO said Cathay Pacific became aware of a problem in March 2018, when it suffered a “brute force” password-guessing attack.
The carrier, based in Hong Kong reported the breach to the ICO. The regulator subsequently uncovered “a catalogue of errors” during a follow-up investigation, including:
back-up files that were not password protected
internet-facing servers without the latest patches
operating systems that were no longer supported by the developer
inadequate anti-virus protection
At least one attack involved a server with a known vulnerability – but the fix was never applied, despite having been public knowledge for more than 10 years.
Steve Eckersley, the ICO’s director of investigations, said there were “a number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers”.
The airline failed four out of five of the basic cyber-essentials guidance from the National Cyber Security Centre, he added.
The £500,000 fine Cathay Pacific now faces is the maximum possible under the Data Protection Act 1998, which was used instead of the GDPR “due to the timing of the incidents in this investigation”.
In July 2019, the ICO announced it would fine British Airways £183m for a breach of its systems, and the Marriott hotel group £99.2m. But both fines were delayed until later this year.
The ICO said that Cathay Pacific had acted promptly once it became aware, and sought expert help from a top cyber-security firm, and had also contacted affected customers.
The report also noted there were no confirmed cases of the personal data being misused – but that it was very likely it would be in future.
In a statement about the fine, Cathay Pacific said it “would once again like to express its regret, and to sincerely apologise for this incident”.
It said “substantial amounts” of money had been spent on security in the past three years.
“However, we are aware that in today’s world, as the sophistication of cyber-attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems.”
Source: BBC News