Cathay Pacific Fined Over $640,000 by UK Officials for 2018 Breach Incident

  • The investigating team also came noted “a catalog of errors” that led to the 2018 breach.
  • This breach incident is not included under GDPR rules owing to its timing.

Cathay Pacific, the flag carrier of Hong Kong, was fined over $640,000 by the UK’s data privacy watchdog for a 2018 security breach that exposed the data of around 9.4 million customers globally—111,578 of whom were UK residents.

What happened?
The Information Commissioner's Office of the UK, which imposed the penalty, said Cathay Pacific failed to protect customers' personal data.
  • The penalty is the maximum fine possible under relevant UK law.
  • Upon investigation, the ICO found that the attackers penetrated the airline’s system via an online server and dropped malware to harvest customer data.

What went wrong at Cathay?
The investigating team also came across “a catalog of errors” such as:
  • Unprotected (without password) back-up files
  • Unpatched Internet-facing servers
  • Working on operating systems that were no more supported by the developers firm
  • Poor antivirus protection

Also, as claimed by the airline firm, it first identified unauthorized access to its systems in March. However, the firm took six months to disclose the breach to the public.

Speaking on the matter, Steve Eckersley, the ICO's director of investigations, said, "This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected."

"At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance," Eckersley added.

The breach story 
This breach incident is not included under GDPR rules owing to its timing; it falls under previous UK data protection legislation. 
  • The breach lasted for close to four years and only got detected in the fall of 2018.
  • Unauthorized access to the company's systems exposed airline passengers’ personal details and identity, including postal and email addresses, phone numbers, and historical travel information.
  • Under GDPR guidelines, the airline would likely have faced a significantly larger penalty.

Response from the airline
The airline said it is committed to enhancing its security “in the areas of data governance, network security and access control, education and employee awareness, and incident response agility.”

  • It has spent substantial amounts on IT infrastructure and security, and plans to continue investing in these areas will continue.
  • The investigation found no evidence of any personal data being misused to date.

“We will continue to co-operate with relevant authorities to demonstrate our compliance and our ongoing commitment to protecting personal data,” the airline added.