Cathay Pacific Airlines Fined Over Data BreachUK's ICO Issues Largest Penalty Possible Under Country's Older Data Privacy Laws
The U.K. Information Commissioner's Office has fined Cathay Pacific Airways £500,000 ($646,000) over a data breach that exposed the personal information of 9.4 million customers, including 111,000 British citizens, during a four-year period.
The fine is the largest the U.K. privacy watchdog could impose under the country's older data protection laws since the breach, which started in 2014 and was discovered and fixed in 2018. That happened before the EU's General Data Protection Regulation went into effect in May 2018, according to the report.
During its investigation, the ICO found that the Hong Kong-based airline lacked appropriate security controls to ensure passenger data was secured within its internal IT systems, according to the report. The result is that millions of records, including names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information, were exposed, the report notes (see: Cathay Pacific Says 9.4 Million Affected by Data Breach).
The ICO report notes that investigators found a "catalog of errors" during the investigation of Cathay Pacific. This included numerous security problems ranging from database backups that were not encrypted, to an internet-facing server that was accessible due to a well-known vulnerability, to the administrator console being accessible to the open internet, and critical systems using operating systems that were no longer supported, the report notes.
In addition, anti-virus and patch management practices were poor, and many accounts were given inappropriate access privileges, according to the ICO report issued Wednesday.
"This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers," Steve Eckersley, the director of investigations for ICO, notes in the report. "The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre's basic Cyber Essentials guidance."
A Cathay Pacific spokesman tells Information Security Media Group that the airlines cooperated with the ICO during the investigation and that it has taken steps over the last two years to improve its corporate security.
"The company has already taken measures to enhance its IT security in the areas of data governance, network security and access control, education and employee awareness and incident response agility," the spokesman says. "Substantial amounts have been spent on IT infrastructure and security over the past three years and investment in these areas will continue."
The breach of the Cathay Pacific systems started sometime in October 2014, when the attackers took advantage of an internet-facing server with known vulnerabilities and gained a foothold within the network, according to the report.
Once inside the network, the attackers were able to plant malware within certain systems and began harvesting customer's personally identifiable information over the course of the next several years, according to the report.
In March of 2018, Cathay Pacific security teams finally became suspicious of some of the activity within the corporate network when the airline's Active Directory was subject to a brute-force attack, which originated with an IT services provider that the company used, according to the report.
An investigation by an outside security firm revealed that the brute-force attack stemmed from the attackers attempting to use combinations of passwords and usernames to dig further into the network to access even more data, according to the report. This led to Cathay Pacific closing down the vulnerability and applying software patches before making the breach known in May 2018, according to the ICO report.
The fine issued against Cathay Pacific is the largest that the ICO could levy under the U.K. Data Protection Act of 1998, according to the report. The EU's GDPR did not come into effect until May 2018, and this would have likely resulted in a larger penalty.
In a note to clients, Cordery, a London-based law firm that specializes in compliance matters, point out that that even if the fine against Cathay Pacific wasn't as larger as it could have been under GDPR, ICO wanted to send a message about privacy and security.
"This case is again an important signal to organizations that the ICO is serious about security," according to the note. "The ICO is clear that organizations must do all that they can to protect their systems - any organization can be the target for this type of 'brute force attack.' Organizations must have a first-rate strategy and proper tools in place for responding quickly when these incidents do happen."
Managing Editor Scott Ferguson contributed to this report.