Hong Kong’s flagship carrier Cathay Pacific Airways has been slapped with a $970,000 fine for failing to protect customers’ personal data, including passport numbers, dates of birth, phone numbers, addresses and travel history.
The massive security breach, which impacted 9.4 million people around the world, occurred after the airline’s computer systems became compromised by hackers.
The Information Commissioner’s Office said the airline first became aware passenger details had become exposed in March 2018, where the regulator found a “catalogue of errors” during a follow-up investigation. The customers impacted by the breach were made aware of the error in October 2018, in what was deemed at the time one of the worst security incidents to hit the travel industry.
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers,” Steve Eckersley, ICO director of investigations, said.
“The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”
Some of the security and IT failings included back-up files that were not password defended, vulnerable internet-facing servers, and operating systems that had inadequate virus protection and were no longer supported by the developer.
A spokesperson for Cathay Pacific said the carrier “would once again like to express its regret, and to sincerely apologise for this incident,” adding substantial upgrades had been made to its IT infrastructure and security since the breach.
“However, we are aware that in today’s world, as the sophistication of cyber attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems,” the company said.
“We will continue to co-operate with relevant authorities to demonstrate our compliance and our ongoing commitment to protecting personal data.”
In 2019, British Airways was slapped with a £183 million ($A328 million) fine over a breach that compromised information on half a million customers.
The penalty was the biggest to date under new, tougher regulations and it accounted for 1.5 per cent of the airline’s total revenues for 2018.
The scam diverted customers wanting to book with the airline to a fake website where credit card details were harvested by the attackers.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” UK information commissioner Elizabeth Denham said.
The fine for Cathay Pacific comes at a critical time for the carrier, which is haemorrhaging dollars in the wake of the global coronavirus outbreak.
Cathay Pacific is keeping around 120 planes out of the sky at any one time, and last week forced 75 per cent of staff, or 25,000 employees of the group, to take unpaid leave because of lack of flights booked.
It is understood that for the month of March, the airline has slashed a scheduled 1470 flights per week for Cathay Pacific and Cathay Dragon. That number has now been cut by more than 1120.