UK’s ICO Fines Cathay Pacific Airways £500,000 for Customer Data Leak

• ICO fines Cathay for the 2018 data breach revelation, but the amount isn’t exactly bashing.
• Cathay’s servers remained infected by data-harvesting malware for almost four years.
• If the GDPR was taken into account, Cathay would have been called to pay about £500 million.

The Information Commissioner’s Office (ICO) in the UK has imposed a somewhat “light” fine of £500,000 onto Cathay Pacific Airways Limited, for the airline’s failure to secure its systems appropriately. For almost four years between 2014 and 2018, Cathay Pacific's computers were lacking basic security and data protection measures, which resulted in the leaking of the personal information of more than 9.4 million customers. As 111578 of them were from the UK, the ICO had the authority to impose a penalty on the company.

ICO investigated the issue when the first signs of a breach became evident in May 2018. The Hong Kong-based aviation company with a fleet size of 133 aircraft discovered that hackers had accessed their servers and planted malware to steal passenger data during the aforementioned time period. Finally, they confirmed that 860000 passport numbers, 245000 identity cards, and 430 credit card numbers were stolen by hackers. Cathay was subsequently accused of trying to bury the incident as it took them seven months to disclose the details, and they were finally compelled to do it when customer information appeared on the dark web.

ICO states that the company has failed to live up to its clients’ expectations who entrusted them with their personal details. As they said, their investigation revealed multiple and multi-level failures to protect client data. Steve Eckersley, ICO’s Director of Investigations said:

“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance. Under data protection law, organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”

As the ICO clarifies, the timing of the incident and the investigation that followed was such that they had to do it under the Data Protection Act of 1998. In 2018, stricter data protection laws came into force in Europe, so the fine would be significantly larger (about $564 million) if GDPR was taken into account. Still, half a million pounds sterling should be enough to convince Cathay Pacific and any other airline to take the security of their passenger data more seriously. Having invested this amount on cybersecurity would have probably prevented this incident from having ever happened.