The Information Commissioner's Office (ICO) has fined Hong Kong airline Cathay Pacific £500,000 for failing to protect the data of approximately 9.4 million people in 2018.
From October 2014 to May 2018, the airline's computer systems lack basic security measures, according to the ICO, which led to customer's personal data being exposed.
An ICO investigation found that Cathay Pacific had failed to secure its computer systems and allowed unauthorised access to personal details such as names, passport and identity data, dates of birth, postal and email addresses, phone numbers and also historic travel records.
Of the 9.4 million customers who had their data exposed, 111,578 were from the UK, but due to the timing of the breach, the company has received a maximum monetary fine under the Data Protection Act 2018, rather than the GDPR.
"This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific's system, which gave easy access to the hackers," said Steve Eckersley, ICO director of investigations.
"The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre's basic Cyber Essentials guidance."
The airline hired a cyber security firm after noticing suspicious activity in March 2018. The incident was then reported to the ICO by the company Cathay had hired. In its investigation, the ICO found that its systems were entered via a server connected to the internet where malware was installed to harvest data.
An investigation quickly followed and the data watchdog said it found a "catalogue" of errors, such as back-up files without passwords, unpatched internet-facing servers, unsupported operating systems and inadequate antivirus software.
Responding to the ICO's notice, Cathay Pacific told IT Pro that it had already taken measures to enhance its IT security in areas such as data governance, network security and access control, education and employee awareness, and incident response agility.
"Substantial amounts have been spent on IT infrastructure and security over the past three years and investment in these areas will continue," the airline said. "We have co-operated closely with the ICO and other relevant authorities in their investigations."
-
Five Reasons to Adopt Liquid Coolingwhitepaper
-
How to pick your next CEO – and ensure they have the qualities of a great tech leaderIn-depth Experience in choosing a CEO does not mean you get better at it – why is that, and how can you make sure you're always looking at succession with a fresh perspective?
-
Cyber attacks have rocked UK retailers – here's how you can stay safeNews Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
-
Clearview AI fined £7.5m over improper use of UK dataNews Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
