Cathay Pacific has been fined £500,000 by the data watchdog for failing to secure its customers’ personal information.
The Information Commissioner’s Office (ICO) today said the airline’s computer systems lacked appropriate security measures to protect customers’ personal details.
As a result, roughly 9.4m passengers’ data was exposed between 2014 and 2018, 111,578 of whom were from the UK.
The watchdog said the airline’s failure to secure its systems led to a breach, with hackers gaining access to details including names, passport details, dates of birth and phone numbers.
The Hong Kong-based company became aware of suspicious activity in March 2018, when its database was subjected to a “brute force attack”.
Cathay Pacific hired a cybersecurity firm to deal with the incident, before reporting it to the ICO.
The watchdog outlined a “catalogue of errors” by the airline, including back-up files that were not password protected, unpatched internet-facing servers and outdated operating systems.
“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here,” said ICO director of investigations Steve Eckersley.
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected.”
The £500,000 penalty is the largest penalty the watchdog was able to hand down under previous legislation.
Since the introduction of the General Data Protection Regulation (GDPR) in 2018, the ICo can fine companies up to £17m or four per cent of global turnover — whichever is larger.
Aman Johal, director of Your Lawyers, said Cathay Pacific had escaped with a small fine that did not emphasise the extent of its data protection failure.
“Cathay Pacific should count themselves lucky to have escaped a larger fine they could have faced under the GDPR, ” he said.
“Hopefully, they’ll see this as a lesson – that customer data protection must be taken seriously. The consequences might be far graver if there’s a repeat of this kind of breach in the future.”
Cathay Pacific has been contacted for comment.