Cathay Pacific Fined For 2018 Data Breach
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers.” - ICO Director
The UK’s Information Commissioner’s Office (ICO) has handed out a fine to Cathay Pacific following an investigation into the airline’s response to a 2018 data breach totalling 500,000 pounds (USD $644,000).
The penalty comes under the UK’s 1998 Data Protection Act, which has since been replaced by the GDPR legislation; under GDPR stipulations, Cathay Pacific might have been liable for a fine totalling 4% of yearly revenue.
The breach in question saw the private data of millions of customers exposed, including more than 100,000 UK residents, which promoted the Information Commissioner’s Office to get involved.
According to the ICO, between October 2014 and May of 2018, inadequate security measures within Cathay’s IT network eventuated in a data breach that implicated the private data of more than 9.4 million customers that had flown with the airline.
“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here,” Steve Eckersley, Director of Investigations at the ICO said.
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers.”
“The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”
According to AsiaTimes, “the Hong Kong-based airline in October 2018 admitted that about 860,000 passport numbers, 245,00 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no verification value (CVV) were accessed.”
Other details caught up in the data breach included dates of birth, phone numbers, email addresses, residential addresses and nationality details.
Cathay Pacific has since released a statement expressing “it’s regret, and to sincerely apologise,” for the breach, adding that the company had invested into increasing its cybersecurity policies and has spend “substantial amounts” on its new computing infrastructure.
InfoSecurity Magazine is reporting that “it took Cathay Pacific seven months to report the incident, although it was under no legal obligation to do so at all. The privacy commissioner was also powerless to levy fines. The only option was an enforcement notice citing violation of privacy laws and an order that the firm improved its cybersecurity posture.”
“Even if the airline had failed to comply with the order, it would only have faced a fine of USD $6433,” writes Phil Muncaster. “The Special Administrative Region (SAR) of China is looking to update its privacy laws in line with the GDPR, to include major fines levied in the future as a percentage of global turnover.”