The Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways £500,000 for failing to protect customers’ personal data.
The UK watchdog said the airline’s computer systems had exposed details of 111,578 UK residents and a further 9.4 million people from other countries.
These included names, passport details, dates of birth, phone numbers, addresses and travel history.
“Appropriate security” was not in place between October 2014 and May 2018.
The ICO said Cathay Pacific became aware of a problem in March 2018, when it suffered a “brute force” password-guessing attack.
The Hong Kong-based firm reported this to the ICO. The regulator said it subsequently uncovered “a catalogue of errors” during a follow-up investigation, including:
- back-up files that were not password protected
- internet-facing servers without the latest patches
- operating systems that were no longer supported by the developer
- inadequate anti-virus protection
Steve Eckersley, the ICO’s director of investigations, said there were “a number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers”.
The airline failed four out of five of the basic cyber-essentials guidance from the National Cyber Security Centre, he added.
The £500,000 fine is the maximum possible under the Data Protection Act 1998.
If the case had been considered under the General Data Protection Regulation (GDPR), which later came into effect, the maximum penalty could have been £17m or 4% of the company’s global sales.