The Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways £500,000 for poor security that exposed the personal data of 9.4 million passengers – 111,578 of whom were from the UK.

They found that backup files not password-protected, unpatched web-facing servers and out-of-date OS.

The breach occurred between October 2014 and May 2018 and exposed passengers’ names, passport and identity details, dates of birth, postal and email addresses, phone numbers, and travel history, as well as 430 credit card numbers, 27 of which were active.

The Hong-King based airline was made aware of the issue in in March 2018, when it suffered a “brute force” password hack and reported the breach to the ICO.

The regulator said it subsequently uncovered “a catalogue of errors” during a follow-up investigation, including:

  • back-up files that were not password protected
  • internet-facing servers without the latest patches
  • operating systems that were no longer supported by the developer
  • inadequate anti-virus protection

Steve Eckersley, the ICO’s director of investigations, said there were “a number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers“.

At least one attack involved a server with a known vulnerability – but the fix was never applied, despite having been public knowledge for more than 10 years.

Mr Eckersley added that the airline failed four out of five of the very cyber-essentials guidance from the National Cyber Security Centre.

He said: “People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.

“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.

“Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”

Data Protection Act 1998

Due to the timing of the attack, the £500,000 fine is the maximum possible under the Data Protection Act 1998, which was used instead of the newer GDPR.

In a statement about the fine, Cathay Pacific said it “would once again like to express its regret, and to sincerely apologise for this incident“.

It said “substantial amounts” of money had been spent on security in the past three years.

However, we are aware that in today’s world, as the sophistication of cyber-attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems.

The ICO said that Cathay Pacific had acted promptly once it became aware of the breach and that it had also contacted affected customers.