Cathay Pacific Airways Limited fined GBP 500k

Essentials

Date of enforcement action:
10/Feb/2020
Jurisdiction: Fine imposed:
United Kingdom Flag for United Kingdom, which is the jurisdiction taking enforcement action GBP 500,000 (US$652,000)
Defendant company or entity: Industry segment:
Cathay Pacific Airways Limited Airlines /Transport /

Case summary

The Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data.

Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed, 111,578 of whom were from the UK, and approximately 9.4 million more worldwide.

The airline’s failure to secure its systems resulted in the unauthorised access to their passengers’ personal details including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.

Cathay Pacific became aware of suspicious activity in March 2018 when its database was subjected to a brute force attack, where numerous passwords or phrases are submitted with the hope of eventually guessing correctly. The incident led Cathay Pacific to employ a cybersecurity firm, and they subsequently reported the incident to the ICO.

The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. A catalogue of errors were found during the ICO’s investigation including: back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.

(ICO UK)

Commentary

The ICO regarded the contravention by the respondent company as serious. This was because of the large number of data subjects affected, the types of personal data exposed, the number of failings identified and the long duration of the breach (three and a half years).

The ICO viewed the following factors as aggravating for Cathay Pacific, meaning that they would tend to increase the amount of the fine imposed:

  • (i) the failure of the company to follow its own policies (i.e. the company knew of the risks but failed to apply its own controls);
  • (ii) the duration of the breach was a long one, in which the problem was not identified or corrected by routine checks;
  • (iii) the company retained data for longer than was necessary, putting this data at risk on decommissioned servers;
  • (iv) the data breach demonstrated that the company had not honored some of the “most fundamental principles of data security”.

All said, the ICO did consider that Cathay Pacific “acted promptly and forthrightly since it became aware of the data breach”. It also noted that the company “went above and beyond its legal obligations in issuing appropriate information to data subjects and cooperating with the investigation”. This factor was taken into account in mitigation. Nevertheless, a substantial fine of GBP 500,000 was imposed by the ICO.

The GBP 500,000 fine is the maximum fine that could be issued under the 1998 legislation, the Data Protection Act.

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Information Commissioner's Office Flag for United Kingdom, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Yes

Cite this fine in your work

Data Privacy Fines Index. (2020-02-10 04:40) Cathay Pacific Airways Limited fined GBP 500k. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/cathay-pacific-airways-limited-fined-gbp-500k/

Entry last updated: 2020-03-20 05:01 GMT.