International airline Cathay Pacific was issued a fine of £500,000 for failing to secure the personal data of its customers.
Cathay Pacific’s computer systems did not have the necessary security measures which resulted in the exposure of its customers’ personal details. Out of the exposed, 111,578 were from the UK alone, and around 9.4 million more worldwide.
The airline’s failure to secure its systems, so the criminals managed to access their passengers’ personal details which includes customer names, passport and identity details, dates of birth, home and email addresses, phone numbers, and previous travel information.
According to the Information Commissioner’s Office (ICO) which has issued the fine, the breach had been going on since at least October 2014 until March 2018 when it was uncovered and disclosed.
On investigation by the data protection authority, it was found that the errors occurred due to way the airline handled cybersecurity.
The ICO stated that the backups were not password-protected or encrypted, internet-facing servers were left unpatched even though it had a known vulnerability, usage of an unsupported operating system, and inadequate anti-virus protection.
It was also found that there wasn’t any software-patching management strategy and users were able to remotely access systems without any multi-factor authentication.
Cathay Pacific came to known about the data breach in March 2018 after the database became the victim of a brute-force attack when the hackers tried to access additional areas by trying to guess passwords. They then hired a cybersecurity company to investigate the attack and the incident was referred to the ICO.
The ICO has issued Cathay Pacific with a fine of £500,000 which is the maximum figure possible under the Data Protection Act 1998.
The airline company stated that they would like to express their regret, and sincerely apologized for the incident.
They mentioned that huge amounts have been spent on IT infrastructure and security over the past three years and more investment in these areas will continue.
The Cathay Pacific data breach happened before GDPR came into force in May 2018, which introduced even more higher financial penalties for security breaches.