The Information Commissioner’s Office (ICO) revealed on Wednesday that it had handed Cathay Pacific a £500,000 fine for failing to protect the personal data of more than 111,000 UK travellers.
But security experts warned that the Hong Kong flag-carrier could have been hit with a much higher penalty had the breach taken place after the EU’s new data protection regime came into effect.
According to the ICO, Cathay Pacific discovered evidence of suspicious activity in March 2018 and took steps to quickly fix the vulnerabilities, bringing an end to the breach in May, the same month GDPR was implemented.
Cesar Cerrudo, chief technology officer of the security vendor IOActive, said the airline had “got off lightly with a £500,000 fine”, the maximum allowed under the Data Protection Act 1998. “This sum is a drop in the ocean compared to what it could have been,” Cerrudo added.
Under GDPR, companies can be fined up to 4 per cent of their annual global turnover or £20m, whichever is higher, for the most serious violations of the law. The data breach, which exposed names, passport details, dates of birth, addresses, phone numbers and historical travel information, took place over nearly three years and was caused by a “catalogue of errors”, the ICO said. In total, the data of 9.4 million people was breached.
According to the data protection watchdog, the mistakes included: “Back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.”
Steve Eckersley, the ICO’s director of investigations, said: “People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.”
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”
The ICO unveiled plans last summer to fine British Airways and Marriott International £183m and £99m respectively for GDPR breaches. The regulatory process for the two fines was extended in January but will conclude at the end of this month.
A Cathay Pacific spokesperson told NS Tech: “The company would once again like to express its regret, and to sincerely apologise for this incident. The company has already taken measures to enhance its IT security in the areas of data governance, network security and access control, education and employee awareness, and incident response agility. Substantial amounts have been spent on IT infrastructure and security over the past three years and investment in these areas will continue.”