Cathay Pacific fined £500,000 by ICO for failing to protect customers' personal data

Cathay Pacific hit with the largest pre-GDPR fine the ICO can levy for exposing details of 9.4 million customers worldwide between 2014 and 2018

Cathay Pacific, the flag carrier of Hong Kong, has been fined £500,000 by the Information Commissioner's Office (ICO) over a data breach that lasted from 2014 to 2018.

In the process, the personal details of 9.4 million people worldwide, including 111,578 in the UK, were exposed.

The ICO found the breach to be a serious contravention of Principle 7 of the Data Protection Act 1998, rather than GDPR. Principle 7 states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.

The airline's failure to secure its systems, the ICO claimed, resulted in the unauthorised access to passengers' personal details, including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.

https://twitter.com/GossiTheDog/status/1235162569482088448?ref\\_src=twsrc%5Etfw

Although the breach was opened in October 2014, the airline only became aware of it in May 2018 - all pre-GDPR, which limited the maximum fine that the ICO could levy to just £500,000. In addition, Cathay Pacific will be entitled to a 20 per cent discount if it pays-up within the next 30 days.

"This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific's system, which gave easy access to the hackers," said ICO Director of Investigations Steve Eckersley.

He continued: "The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre's basic Cyber Essentials guidance.

"Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible."

Were the breach to have happened after GDPR came into force on 25th May 2018, the proposed fine would have been in the order of tens of millions of pounds - if the first post-GDPR fines are any guide.

British Airways, for example, is currently fighting a £183 million proposed fine from the ICO over its August and September 2018 Magecart compromise. Hotel chain Marriott International, meanwhile, is fighting a proposed £99 million fine over an attack that pre-dated GDPR, but was only discovered November 2018 and only came to light in March 2019.