|Date of enforcement action:|
|United Kingdom||GBP 500,000 (US$652,000)|
|Defendant company or entity:||Industry segment:|
|Cathay Pacific Airways Limited||Airlines /Transport /|
The Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data.
Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed, 111,578 of whom were from the UK, and approximately 9.4 million more worldwide.
The airline’s failure to secure its systems resulted in the unauthorised access to their passengers’ personal details including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.
Cathay Pacific became aware of suspicious activity in March 2018 when its database was subjected to a brute force attack, where numerous passwords or phrases are submitted with the hope of eventually guessing correctly. The incident led Cathay Pacific to employ a cybersecurity firm, and they subsequently reported the incident to the ICO.
The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. A catalogue of errors were found during the ICO’s investigation including: back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.
|Enforcement authority:||Type of enforcement action:|
|Information Commissioner's Office||Penalty notice|
|Subject to appeal?|
Cite this fine in your work
Data Privacy Fines Index. (2020-02-10 04:40) Cathay Pacific Airways Limited fined GBP 500k. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/cathay-pacific-airways-limited-fined-gbp-500k/
Entry last updated: 2020-03-20 05:01 GMT.