The UK’s Information Commissioner’s Office (ICO) has slammed Cathay Pacific for its “basic security inadeqacies” and fined it £500,000 – the maximum under the 1998 Data Protection Act – after the airline leaked the personal data of millions of customers.
A litany of basic security errors at the airline resulted in the compromise [pdf] of four of its databases by two distinct malicious actors; one of which accessed a “remote VPN, an external facing application platform and an administrative console”.
The breaches took place over a four-year period and were not spotted until 2018, before GDPR came into force. As a result Hong Kong-based airline has avoided a multi-million fine of the kind tentatively imposed on BA and the Marriott hotel group in 2019.
(Whether BA and Marriott will be actually hit with a notable sum remains an open question; there are signs they are being kicked into the long grass).
Cathay Pacific became aware of suspicious activity in March 2018 when a database was subjected to a brute force attack. The firm hired a cybersecurity firm who then contacted the ICO about the breach, triggering an investigation.
The ICO said it found “back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.”
Cathay Pacific Fined: Firm Had Been Hacked Since 2014
The airline had been leaking data since 2014, the ICO found.
Four databases were breached: “System A”, described as a tool which “compiles reports on a number of different databases; “System B”, described as a tool for recording and processing membership details; “System C”; a back-end database supporting web applications, and “System D”, a “transient” database to redeem rewards.
The ICO said 111,578 of the airline’s UK customers had their data stolen. Over nine million more worldwide were also subject the loss of PII.
Cathay Pacific Fined for “Particularly Concerning” Failures
Steve Eckersley, ICO Director of Investigations, said: “This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected.
“At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.
Cesar Cerrudo, CTO for security research and services company IOActive, said: “This sum is a drop in the ocean compared to what it could have been.
“Companies who find themselves in the same situation today could face a fine of up to 4 percent of annual global turnover of $20 million, whatever is higher, which is more likely to put a serious financial strain on any organisation.
He added: “It’s absolutely vital to exercise good security hygiene, prioritise data protection and keep cyber resiliency in mind. This means looking at their processes from end-to-end, considering how devices and systems are being used, connected and who is using them, to truly get a strong gauge of their cybersecurity posture. Yet it is equally important to take a proactive approach and go out looking for threats, using third parties who can think like a hacker to really test your defences, so you are not caught off-guard. Ultimately, no business can ever be 100% secure; it’s all about understanding the threat surface, reducing your risk, and protecting the crown jewels – i.e. your customer data.”