Cathay Pacific Airways has been fined £500,000 for not taking enough measures to protect personal data of its customers. This fine was imposed on the airlines by the Information Commissioner’s Office (ICO) of the United Kingdom.
Personal details of 111,578 residents of the UK as well as personal data of 9.4 million people from other countries were compromised by the computer system of the airlines, the UK watchdog said. The personal information that was compromised included details of names, passport details, dates of birth, phone numbers, addresses and travel history.
In March of 2018, after the airlines suffered a “brute force” password-guessing attack did it come to know or become aware of the problem, the ICO said.
The ICO was made aware of the incident by the Hong Kong-based airlines. After a follow up investigation after the reporting, the UK regulator claims to have uncovered “a catalogue of errors” which included at least one cyber attack that was related to a known vulnerability for servers. However the company never took any preventive measures or applied a fix even though the firm apparently had public knowledge about the vulnerability for more than 10 years.
There were “a number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers,” said Steve Eckersley, the ICO’s director of investigations.
He added that the airline failed to implement at least four out of the five measures that are prescribed by the National Cyber Security Centre with respect to essential steps for against cyber threat had not been implemented by the firm.
A much greater potential maximum fine for such failures is prescribed under the new GDPR rules and it is now clear that the failures on the part of the airlines in this case would have warranted a much larger fine and a more severe punishment.
According to analysts, rather than imposing a penalty of £500,000, it is possible and would have been well under the GDPR norms that Cathay Pacific could have been hit with a fine of up to £470m fine or 4 per cent of its annual global turnover which would have not gone down well with the company’s shareholders.
Analysts explained that the smaller fine of £500,000 that was imposed on Cathay Pacific is the maximum possible punishment according to the Data Protection Act 1998 that was used for ascertaining the punishment rather than use the the newer GDPR “due to the timing of the incidents in this investigation”.
A fine of £183m against British Airways was announced for a breach of its systems by the ICO in July 2019 as well as a £99.2m fine against the Marriott hotel group. However, both fines were delayed until later this year.
Referring to the comparatively lower fines for Cathay Pacific, the ICO said that prompt action was taken by Cathay Pacific once it became aware of the breach and had approached expert help from a top cyber-security firm. The airline had also contacted the affected customers about the breach.
(Adapted from BBC.com)