Cathay Pacific Airways Fails to Protect Customer Data
By Mia Perry (Photo from Cathay Pacific Airways)
Over 9.5 million people have had their personal information exposed as a result of Hong Kong-based airline, Cathay Pacific Airways, failing to protect customer data. A BBC article published this morning said that Cathay Pacific Airways has been fined for over £500,000 by the UK Information Commissioner’s Office (ICO).
The British ICO got involved because 115,578 of impacted individuals are UK residents.
The ICO was alerted to the airline’s data security issues in March 2018 when the company was barraged by “password-guessing” attacks. At least one out of many attacks against the company involved a server that had a vulnerability the company knew about but never fixed. In further investigations, the UK monitoring agency uncovered several operational errors including:
- Lack of password-protection for backup filed
- Internet servers without patches (hard-wired connection)
- Outdated/unsupported operating systems
- Inadequate protection against viruses
The National Cyber Security Center reports that the airline failed four of five basic cyber-essentials. Passenger names, phone numbers, addresses, dates of birth and travel history have been accessible to hackers because of the lack of security and stability.
Due to the timing of the security breaches, the fines from the ICO is are capped at £500,000, the maximum fine under the Data Protection Act of 1998. If the incidents had happened during the newest General Data Protection Regulation (GDPR) implemented in 2018, the consequences would be worse.
ICO has charged companies in the last year—including British Airways (£183m) and Marriott (over £99m)—significantly higher due to the GDPR’s expanded limits. Cathay Pacific Airways could have been slapped with a £470m fine under the new regulation, which is 4% of the company’s annual global turnover. Imagine how the shareholders would feel!
Technology is continuing to evolve quickly, and so are new ways of hacking. The lack of sufficient data security in a company matters a lot to the company finances, shareholder satisfaction, and customer confidence. We learn from this case that investing in security could be more cost effective and better for the company reputation than receiving significant fines and loss of business in the end.