Out-Law / Your Daily Need-To-Know

Cathay Pacific fined in the UK over data breach

Out-Law News | 05 Mar 2020 | 9:33 am | 2 min. read

Cathay Pacific has been fined £500,000 by the UK's data protection authority after more than 100,000 UK customers' data was compromised following a cyber attack.

The airline first went public about a "data security event" in October 2018 following months of investigations by the company and a third party cybersecurity firm. The company said at the time that there had been "unauthorised accessed" to personal data belonging to some of its customers, and those of sister airline Cathay Dragon. It said "up to 9.4 million people" globally had their data compromised. The Information Commissioner's Office (ICO) has now confirmed 111,578 people from the UK were impacted.

According to the company, data compromised included passenger names, nationality, their date of birth, phone number, email, address, passport number, identity card number, frequent flyer programme membership number, customer service remarks, and historical travel information.

Cathay Pacific has a branch based in London and it notified the ICO of the breach. The ICO investigated and found that there had been unauthorised access to the company's systems since 15 October 2014 and that those systems were not secured against such access until 11 May 2018.

The ICO identified a number of "basic security inadequacies" that the airline was responsible for. These included a lack of encryption of data backups, not fixing a known vulnerability, running with an unsupported operating system, and not implementing multi-factor authentication. Further issues with the company's data retention practices, anti-virus protection, patch management and penetration testing were also identified by the regulator.

The ICO determined that Cathay Pacific was responsible for a serious breach of UK data protection laws. The company has apologised for the breach and said it has invested in improving its security, according to the BBC.

"We are aware that in today's world, as the sophistication of cyber-attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems," Cathay Pacific said, according to the BBC's report.

The £500,000 penalty is the maximum level fine the ICO could impose under the Data Protection Act (DPA) 1998, the legislation which applied in this case.

The DPA 1998 applied here because the conduct in question occurred prior to when the General Data Protection Regulation (GDPR) and new DPA 2018 began to apply, on 25 May 2018. The GDPR and DPA 2018 replaced the DPA 1998 which was repealed on the same date.

Cathay Pacific is headquartered in Hong Kong. Like the UK ICO, Hong Kong's privacy commissioner, Stephen Wong, also carried out an investigation into the company's data breach.

At the end of his investigation last year, Wong served an enforcement notice on Cathay Pacific which requires the airline to "engage an independent data security expert to overhaul the systems containing personal data". Cathay Pacific was also ordered to strengthen remote access authentication controls, commission independent data security testing of its network and change its data retention policy to make it clearer how long it will hold on to passenger data for.