Cathay Pacific Airline fined £500,000 for almost four years of data breaches. 

Cathay Pacific Airlines has been fined £500,000 by the Information Commissioner’s Office for failing to protect customers’ personal data between October 2014 and May 2018. 

The Airline’s computer systems were found to have inadequate security measures which exposed customer details such as names, dates of births, passport information, addresses and travel history. The details affected approximately 9.5 million customers, with over 100,000 from the UK. 

Cathay’s Pacific, which is based in Hong Kong, said that they became aware of the breach in March 2018 when it experienced a “brute-force” attack. This means that many passwords were entered with the hope of a correct guess. Following the attack, the airline hired a cybersecurity firm and reported the incident to the data watchdog. 

Regarding the data breach, the ICO’s Director of Investigations Steve Eckersley, said: 

“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”

He continued and said, “Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”

The ICO also said it discovered many errors during a further investigation such as:

  • Files which were not password protected
  • Lack of anti-virus protection
  • Out of data operating systems

Cathay Pacific isn’t the only airline to face ICO fines in light of severe data breaches. In July 2019, British Airways received a record £183 million intention of fine by the watchdog who found that “a variety of [customer] information was compromised”. It included names, email addresses, and credit card details. BA described the attack as a “sophisticated, malicious criminal attack”. This intention to fine remains one of the largest handed out by the ICO under GDPR legislation. 

Jamal Ahmed, Director of Kazient Privacy Experts said regarding the breach:

“It’s great to see the ICO taking positive enforcement action against organisations that are failing to take data protection seriously. Data Privacy is a human right and the sooner organisations get on board with that the better it will be for both them and the individuals whose personal data they collect.”

Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website or calling us on 0330 022 9009.