Cathay Pacific fined £500,000 by British privacy watchdog for 2018 data breach but avoids potentially heftier penalty under European regulation
- Cathay hit with maximum penalty under British Data Protection Act, while potential fine under European regulation could have been HK$4.4 billion
- Some 9.4 million customers worldwide were affected by the breach, which was publicly disclosed in October 2018
The British Information Commissioner’s Office (ICO) announced on Wednesday that Hong Kong’s flagship carrier was to pay a £500,000 (US$639,600) fine, the first financial penalty meted out by any jurisdiction for the data breach, for what it described as a “catalogue of errors”.
Some 9.4 million customers worldwide were affected by the breach, which was publicly disclosed in October 2018, in one of the worst incidents to hit the travel industry at the time.
The original breach occurred in October 2014. The information stolen included names, passport details, dates of birth, travel histories and addresses.
Steve Eckersley, ICO director of investigations, said: “This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers.
“The multiple serious deficiencies we found fell well below the standard expected.”
The airline failed to satisfy four out of five points of the National Cyber Security Centre’s basic guidance, the watchdog said.
Cathay Pacific warns of ‘severe financial difficulties’ but does cadet training U-turn
The airline had no plans to appeal the fine, a company spokeswoman said.
Cathay was hit with the maximum penalty under the 1998 Data Protection Act, the British law used rather than the European General Data Protection Regulation (GDPR), implemented in 2018, “due to the timing of the incidents in this investigation”, the ICO said.
With the airline’s annual revenue in 2018 standing at HK$111 billion, the potential fine under GDPR of 4 per cent of yearly global turnover could have been HK$4.4 billion.
Among the ICO’s findings in its investigation of the breach were: backup files that were not password-protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer; and inadequate antivirus protection.
In Britain, the data of 111,578 people was compromised.
The company said in a statement it “would once again like to express its regret, and to sincerely apologise for this incident”.
The airline said it had since spent substantial amounts of money upgrading its IT infrastructure and security. In recent weeks it unveiled a new “IT Command Centre” to monitor and stop or minimise digital incidents in real time.
Cybercrime is new ‘virus’ in work-from-home experiment with secrets at risk
The airline reiterated there was no evidence of personal data being misused.
“However, we are aware that in today’s world, as the sophistication of cyberattackers continues to increase, we need to and will continue to invest in and evolve our IT security systems,” the company added.
In March 2018, the airline discovered its systems were being accessed in a “brute force” attack, whereby numerous passwords or phrases were being submitted in the hope of eventually being correct. The airline only came clean six months later, after media pressure.
Last June, Hong Kong’s privacy commissioner slammed Cathay for being too lax in protecting its data systems, which had been accessed without authorisation. No financial penalty was ever issued.
Following a data breach in summer 2018, the watchdog fined British Airways £183 million (US$234 million).
Last week, that airline’s parent company IAG said it had “not been proven that British Airways failed to comply with its obligation under GDPR and the UK Data Protection Act”. The company expects the ultimate fine to be “considerably lower”.
