A Cathay Pacific flight docked at Hong Kong International Airport. Source: Shutterstock.

A Cathay Pacific flight docked at Hong Kong International Airport. Source: Shutterstock.

Cathay Pacific faces hefty fine for data breach of 9.4M customers

Aviation giant Cathay Pacific has been slapped with a US$650,000 fine by the UK’s Information Commissioner’s Office (ICO) for failing to protect customer personal data.

According to a statement issued by the regulator, approximately 9.4 million customers had their personal data compromised. The breach encompasses, in varying quantities, details such as names, nationalities, passport details, and historical travel information.

The first unauthorized access to the airline’s computer systems was in October 2014. This was detected by the airlines in February 2015, and upon remediation, this unauthorized access ended in May 2018.

However, Cathay Pacific only reported the breach to the ICO breach in October 2018. The ICO noted that the systems were infiltrated via a server connected to the internet, and malware was installed to harvest the data.

Upon further investigation, it is found that the breach was made possible by Cathay Pacific’s multiple data security deficiencies.

In many instances, the airline did not comply with its own security policies. Despite being clearly stipulated, for example, their database backups were never encrypted.

Administrator dashboards that should only be accessible to employees or authorized third parties were publicly accessible via the internet, and while required by the airline’s third-party access policy, no risk assessments were carried out.

Some internet-facing servers were also left unpatched, despite having known vulnerabilities. Both patch management and anti-virus protection were too, severely inadequate, and key operating systems unsupported. Other offenses included the lack of multi-factor authentication for VPN access, poor penetration system testing, and poor preservation of digital evidence.

ICO noted that by not following their own policies, Cathay Pacific demonstrated that it was well aware of the gravity of a potential data breach.

Steve Eckersley, ICO’s director of investigations, said that people expect (and rightly so), companies to keep their personal details secure from potential harm or fraud.

“This breach was concerning, given the number of basic security inadequacies across Cathay Pacific’s systems […] the deficiencies we found were well below expected standards”.

Cathay Pacific was investigated under the Data Protect Act 1998, and charged with the maximum fine of US$ 650,000.

This is insignificant compared to what British Airways is being charged for exposing the data of 500,000 customers in 2018. Under the newly enacted GDPR, it was charged with an amount that is approximately 367 times higher, at a whopping US$236 million.

Concerning this, Elizabeth Denham, ICO’s Information Commissioner, said: “People’s personal data is just that – personal. When an organization fails to keep it safe, it is more than an inconvenience. The law is clear that when you are entrusted with personal data, you must look after it”.

Indeed, Cathay Pacific and British Airways have learned the consequences of not protecting consumer data the hard way. Companies that gather or use data in any way ought to take heed, and always keep data privacy at the forefront of what they do.