Hong Kong-based air carrier Cathay Pacific is set to pay a fine £500,000, or approximately US$640,000, over a data breach that happened in 2018. According to UK’s Information Commissioner’s Office (ICO), the fine has been issued due to the airline’s failure to secure its passengers’ personal details, leading to a major data breach that had compromised the security of millions of people.
As recorded by ICO, the Cathay Pacific’s computer systems have lacked the appropriate security measures from October 2014 to May 2018, which enabled a third party to have unauthorised access to their passengers’ personal details, including their names, passport, birthdates, postal and email address, phone numbers, as well as travel information.
“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here,” said ICO Director of Investigations, Steve Eckersley.
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance,” he added.
As claimed by the office, it is not only in March of 2018 that Cathay Pacific discovered suspicious activity in its database after threat actors tried a brute force password-guessing attack. This led the airline giant to employ a cybersecurity firm and alerted the ICO about the incident.
In the course of the investigation, the UK’s data protection watchdog found that the airline’s systems have been compromised via a server connected to the internet, in which malware has been installed to collect data.
“A catalogue of errors were found during the ICO’s investigation including back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection,” ICO wrote.
Aside from the personal details of customers, Cathay said that the investigation reveals that the intruders also accessed 403 expired credit card numbers and 27 credit card numbers without a CVV attached. Overall, the incident compromised personal information belonging to 111,578 people from the UK and about 9.4 million more worldwide.
“Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible,” said Eckersley.