Cathay Pacific Airways, a Hong Kong-based airline, has been fined by the Information Commissioner’s Office (ICO) for failing to protect UK customers’ data, the BBC reported earlier this week.
According to the report, the airline was fined $645,000 for exposing the details of 111,578 UK residents. Overall, more than nine million people had their data exposed in the breach, which took place over multiple years.
In 2018, Cathay Pacific discovered hackers had compromised its systems by guessing the password (a practice known as “brute-force attack”) and notified the ICO.
Sensitive information such as names, birth dates, phone numbers, physical addresses and travel history was compromised.
Having investigated the matter, the ICO concluded Cathay Pacific didn't have “appropriate security” in place for at least four years. The company failed to protect its backups with a password, its internet-facing servers weren’t patched, its operating systems were way beyond end-of-life, and its antivirus solutions were “inadequate”.
Steve Eckersley, the ICO's Director of Investigations, said hackers had it easy due to "a number of basic security inadequacies across Cathay Pacific's system.”
Despite incurring the ICO penalty, the company managed to avoid a larger fine under the General Data Protection Regulation. GDPR became law in late May 2018, which meant the company was fined under older legislation.
GDPR stipulates companies must pay either €20 million or four percent of their global annual turnover for data security infringements. This means the airline would have had to pay $564 million in fines had the breach occurred after its introduction.