Cathay Pacific fined £500,000 by British privacy watchdog for 2018 data breach but avoids potentially heftier penalty under European regulation

Cathay hit with maximum penalty under British Data Protection Act, while potential fine under European regulation could have been HK$4.4 billion

Some 9.4 million customers worldwide were affected by the breach, which was publicly disclosed in October 2018

Reading Time:2 minutes

Cathay Pacific again apologised for the incident, which came to light in late 2018. Photo: Winson Wong

Published: 11:57pm, 4 Mar 2020Updated: 12:06pm, 5 Mar 2020

Cathay Pacific Airways has avoided a crippling financial penalty of as much as HK$4.4 billion (US$564 million) under tough European data privacy laws for a 2018 breach, after Britain’s information watchdog fined it a fraction of that sum using older legislation.

The British Information Commissioner’s Office (ICO) announced on Wednesday that Hong Kong’s flagship carrier was to pay a £500,000 (US$639,600) fine, the first financial penalty meted out by any jurisdiction for the data breach, for what it described as a “catalogue of errors”.

Some 9.4 million customers worldwide were affected by the breach, which was publicly disclosed in October 2018, in one of the worst incidents to hit the travel industry at the time.

The original breach occurred in October 2014. The information stolen included names, passport details, dates of birth, travel histories and addresses.

The breach involved the data of millions of customers. Photo: Winson Wong

Steve Eckersley, ICO director of investigations, said: “This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers.

Select Voice

Choose your listening speed

Get through articles 2x faster

1.25x

250 WPM

Slow

Average

Fast

00:0000:00

1.25x