RISK

NEWS

International airline fined £500,000 for failing to secure customers’ personal data

11 Mar 2020

The Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data – the highest penalty available to the regulator under the monetary penalty regulations.

Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures, leading to customers’ personal details being exposed, 111,578 of whom were from the UK, and approximately 9.4 million more worldwide.

The airline’s failure to secure its systems resulted in unauthorised access to their passengers’ personal details, including names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.

There have been no confirmed cases of misuse of personal data by the hackers; however, it is likely that social engineering “phishing” attacks could be successful, due to the confidential nature of the stolen data, including passport numbers.

Cathay Pacific became aware of suspicious activity in March 2018 when its database was subjected to a brute force attack, in which numerous passwords or phrases are submitted with the hope of eventually guessing correctly. The incident led Cathay Pacific to employ a cybersecurity firm, and it subsequently reported the incident to the ICO.

The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. A catalogue of errors were found during the ICO’s investigation, including back-up files that were not password protected, unpatched internet-facing servers, use of operating systems that were no longer supported by the developer, and inadequate anti-virus protection.

Steve Eckersley, ICO Director of Investigations, said:

“People rightly expect when they provide their personal details to a company that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.

“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.

“Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”

Strengthened UK and European data protection laws came into force in 2018; however, due to the timing of these incidents the ICO investigated this case under the Data Protection Act 1998. The ICO found the breach to be a serious contravention of Principle 7 of the Data Protection Act 1998, which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data. It also found that the airline failed to heed its own policies, which contributed to the level of fine.

Full details of the investigation can be found in the Monetary Penalty Notice.

You may also be interested in

RELATED CONTENT

RELATED COURSES

Risk Assessment and Method Statements (RAMS)
Risk Assessment and Method Statements (RAMS)

The Risk Assessment and Method Statement (RAMS) course examines the HSE’s recognised five-step approach to risk assessment.

IOSH Managing Safely
IOSH Managing Safely

The world’s best-known health and safety certificate, designed for managers and supervisors in any sector or organisation.

IOSH Safety for Executives and Directors
IOSH Safety for Executives and Directors

IOSH Safety for Executives and Directors is designed for those who have operational or strategic accountability for a company.

Introduction to health and safety
Introduction to health and safety

Introduction to health and safety gives learners a basic introduction to managing safety in their workplace.

Data breaches: your best chance of survival
Data breaches: your best chance of survival

Data breaches: your best chance of survival

Data Sharing Code of Practice laid before Parliament
Data Sharing Code of Practice laid before Parliament

The government has laid a code of practice on data sharing before Parliament, which aims to assist organisations in legally sharing data.

Firms warned to be responsible when transferring client data
Firms warned to be responsible when transferring client data

The current economic climate is changing the way many firms operate, causing some to leave the market or merge with other firms. When this happens, th...

TikTok fined £12.7 million for misusing children’s data
TikTok fined £12.7 million for misusing children’s data

The Information Commissioner’s Office (ICO) has issued a £12,700,000 fine to TikTok Information Technologies UK Limited and TikTok Inc (TikTok) for a ...