U.K.’s ICO fines Cathay Pacific for pre-GDPR breach

The ICO found that between October 2014 and May 2018—just weeks before the European Union’s strict and highly punitive General Data Protection Regulation (GDPR) came into force—Cathay Pacific’s computer systems “lacked appropriate security measures,” which led to some 9.4 million customers’ personal details being exposed, 111,578 of whom were from the United Kingdom.

The airline’s failure to secure its systems resulted in unauthorized access of passengers’ personal details, including names, passport and identity details, dates of birth, postal and email addresses, phone numbers, and historical travel information, according to the ICO.

There have been no confirmed cases so far that the hackers have misused any of the data.

Cathay Pacific became aware of suspicious activity on March 13, 2018, when its database was subjected to a “brute force” attack, where numerous passwords or phrases are submitted with the hope of eventually guessing them correctly. The incident led the airline to employ a cyber-security firm to carry out an internal investigation. It self-reported the breach to the regulator in October 2018—five months after the GDPR came into force.

The ICO found “multiple serious deficiencies” with Cathay Pacific’s systems, which were entered via a server connected to the internet. Malware had been installed to harvest customer data.

The ICO’s investigation uncovered “a catalogue of errors,” including back-up files that were not password protected; unpatched internet-facing servers; the use of operating systems that were no longer supported by the developer; and inadequate anti-virus protection.

At least one attack involved a server with a known vulnerability, but the fix was never applied, despite having been public knowledge for more than 10 years. Forensic evidence was also lost when the affected servers were decommissioned.

Steve Eckersley, ICO director of investigations, said: “This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected.”

Despite the reputational knock, Cathay Pacific dodged a bullet by uncovering and investigating the breach before the GDPR came into effect. As such, the company could only be sanctioned under the old Data Protection Act for failing to take “appropriate technical and organizational measures,” where £500,000 was the maximum penalty available.

Under the GDPR, such a massive breach and lack of adequate protection could easily have seen the ICO issue a penalty much closer to the 4 percent of turnover limit allowed under the newer EU legislation. If that had been the case, the airline could have faced a fine of around £470 million (U.S. $604 million).

Experts say the fine should act as a “wake-up call” to organizations.

Jake Olcott, vice president of government affairs at Bitsight, a company that performs cyber-security ratings, says: “This fine once again highlights that boards are accountable for strong cyber-security performance, regardless of the monetary penalty. They must manage it in a similar way to any other critical business issue. Poor performance leads to breaches, fines, and legal liability.”

In a statement, Cathay Pacific said it has taken measures to enhance its IT security to improve data governance, incident response agility, network security, and access control, and it has also taken steps to improve employee awareness.

“We are aware that in today’s world, as the sophistication of cyber-attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems,” said a spokesperson.

“We will continue to cooperate with relevant authorities to demonstrate our compliance and our ongoing commitment to protecting personal data.”