Information Commissioner's Office
International airline fined £500,000 for failing to secure its customers’ personal data
The Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data.
Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed, 111,578 of whom were from the UK, and approximately 9.4 million more worldwide.
The airline’s failure to secure its systems resulted in the unauthorised access to their passengers’ personal details including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.
Cathay Pacific became aware of suspicious activity in March 2018 when its database was subjected to a brute force attack, where numerous passwords or phrases are submitted with the hope of eventually guessing correctly. The incident led Cathay Pacific to employ a cybersecurity firm, and they subsequently reported the incident to the ICO.
The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. A catalogue of errors were found during the ICO’s investigation including: back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.
Steve Eckersley, ICO Director of Investigations, said:
“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.
“Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”
Strengthened UK and European data protection laws came into force in 2018, however due to the timing of these incidents the ICO investigated this case under the Data Protection Act 1998. The ICO found
the breach to be a serious contravention of Principle 7 of the Data Protection Act 1998, which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.
In addition to acting promptly in seeking expert assistance from a leading cyber security firm, Cathay Pacific also issued appropriate information to affected individuals and co-operated with the ICO’s investigation.
Full details of the investigation can be found in the Monetary Penalty Notice.
Notes to Editors
- Pursuant to Article 4 of the Data Protection (Monetary Penalties) Order 2010, paragraph 18 of the monetary penalty notice is varied as follows:
a) The earliest date of the unauthorised access to Cathay Pacific’s systems was 14 October 2014, not 15 October 2014.
b) The earliest known date of unauthorised access to personal data was 7 February 2015, not 2 July 2015.
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
- The General Data Protection Regulation (GDPR) is a recent data protection law which came into being in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security. The UK’s decision to leave the EU will not affect the commencement of the GDPR.
- Due to the timing of the incidents in this investigation, a civil monetary penalty has been issued under the previous legislation, the Data Protection Act 1998. The maximum financial penalty in civil cases under former laws is £500,000.
- Under past and current law, the ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17 million (20m Euro) or 4% of global turnover.
- Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by ICO.
- To report a concern to the ICO go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
The Office of the Australian Information Commissioner and the UK’s Information Commissioner’s Office open joint investigation into Clearview AI Inc.10/07/2020 09:10:00
The Office of the Australian Information Commissioner (OAIC) and the UK’s Information Commissioner’s Office (ICO) have opened a joint investigation into the personal information handling practices of Clearview AI Inc., focusing on the company’s use of ‘scraped’ data and biometrics of individuals.
Statement on the publication of ICO guidance to businesses collecting personal data for contact tracing03/07/2020 09:10:00
Statement from Deputy Chief Executive Paul Arnold as the ICO publishes initial guidance for businesses asked to record and maintain personal data of customers, staff and visitors in support of the test and trace scheme.
UK regulators join forces to ensure online services work well for consumers and businesses02/07/2020 12:20:00
The Competition and Markets Authority (CMA), Information Commissioner’s Office (ICO) and Ofcom have set up a new forum to help ensure online services work well for consumers and businesses in the UK.
ICO statement on the Competition and Markets Authority’s market study01/07/2020 16:38:00
ICO statement given on the Competition and Markets Authority’s market study.
ICO releases findings on the use of mobile phone extraction by police forces18/06/2020 14:33:00
The Information Commissioner’s Office (ICO) has released an investigation report into the use of mobile phone extraction (MPE) by police forces when conducting criminal investigations in England and Wales.
Statement in response to media enquiries about the Data Protection Impact Assessment for the NHSX’s trial of contact tracing app11/05/2020 09:15:00
An ICO spokesperson said: “We are reviewing the Data Protection Impact Assessment for NHSX’s pilot of its contact tracing app in the Isle of Wight.”
Blog: Information Commissioner sets out new priorities for UK data protection during COVID-19 and beyond06/05/2020 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 05 May 2020.
COVID-19 contact tracing: data protection expectations on app development05/05/2020 09:10:00
Information Commissioner Elizabeth Denham and Executive Director of Technology and Innovation Simon McDougall appeared before the Human Rights Joint Committee yesterday (4 May 2020).