Cathay Pacific Airways has been fined £500,000 (approximately $640,000) by the UK’s Information Commissioner’s Office (ICO) for failing to protect customers’ personal data.
As the BBC reports, 111,578 people in the UK and approximately 9.4 million more people worldwide had their data exposed between October 2014 and May 2018. The data includes customers’ names, passport details, dates of birth, phone numbers, addresses, and travel histories.
Since the breach happened before GDPR (General Data Protection Regulation) took effect, the airline avoided being fined up to £470m – four percent of its annual global turnover. Instead, it has been fined the maximum that the ICO can levy under the UK’s Data Protection Act of 1998.
The airline said it became aware of the issue when it was the victim of a brute force attack in 2018. After reporting the attack to the ICO, it was found that the Hong Kong airline had not password-protected its backup files, had internet-facing servers that were not updated, operating systems that were no longer supported by the developers, and poor antivirus protection.
One attack on a server involved a vulnerability that had been known for over a decade, yet the fix had not been applied by the airline. In a statement to the BBC, Steve Eckersley, the ICO’s director of investigations, said there were “a number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers.”
This is not the first time that an airline has faced a large fine because of an inability to sufficiently protect the data of its customers. In July 2019, British Airways was fined $229m for a data breach the previous year which allowed hackers access the names, email addresses, and credit card numbers of 500,000 customers.