DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UK: Cathay Pacific Airways Limited fined £500,000 for failing to secure its customers’ personal data

Posted on March 4, 2020 by Dissent

From the ICO:

The Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data.

Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed, 111,578 of whom were from the UK, and approximately 9.4 million more worldwide.

The airline’s failure to secure its systems resulted in the unauthorised access to their passengers’ personal details including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.

Cathay Pacific became aware of suspicious activity in March 2018 when its database was subjected to a brute force attack, where numerous passwords or phrases are submitted with the hope of eventually guessing correctly. The incident led Cathay Pacific to employ a cybersecurity firm, and they subsequently reported the incident to the ICO.

The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. A catalogue of errors were found during the ICO’s investigation including: back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.

Steve Eckersley, ICO Director of Investigations, said:

“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.

“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.

“Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”

Strengthened UK and European data protection laws came into force in 2018, however due to the timing of these incidents the ICO investigated this case under the Data Protection Act 1998. The ICO found the breach to be a serious contravention of Principle 7 of the Data Protection Act 1998, which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.

In addition to acting promptly in seeking expert assistance from a leading cyber security firm, Cathay Pacific also issued appropriate information to affected individuals and co-operated with the ICO’s investigation.

Full details of the investigation can be found in the Monetary Penalty Notice.

The monetary penalty notice contains more details about how the breach involved four of the airline’s systems:

(1) System A, a reporting tool which compiles reports on a number of different databases, including its customer database.
(2) System B, used for processing and recording the membership details of data subjects in the member group.
(3) System C, a shared back-end database primarily used to support web-based applications.
(4) System D, a transient database which allows Asia Miles members to redeem non-air awards.

The investigation revealed that there appeared to be two unrelated groups of attackers that both hit the airline:

(1) Group 1 was responsible for the attack on System A, and Cathay Pacific has not been able to establish how access to the network was achieved.
(2) Group 2 was responsible for the attack on Systems B, C and D. It appears that Group 2 entered first via an internet-facing server. Once able to move laterally within Cathay Pacific’s environment, the attackers were able to install malware to harvest credentials from 10 August 2017. Using these credentials, Group 2 was then able to access a remote VPN, an external facing application platform and an administrative console.

The investigation concluded that the earliest known date of unauthorised access to Cathay Pacific’s systems had been 15 October 2014. The earliest known date of unauthorised access to personal data was 2 July 2015.

Category: Business SectorCommentaries and AnalysesNon-U.S.Of Note

Post navigation

← NZ: Cyberattackers hack Wellington school’s computer system
Epiq’s Ransomware Response Is By The Books, But Dangers Still Lurk →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.