LONDON – The UK Information Commissioner’s Office (ICO) announced a fine of £500,000 ($636,000) for the international airline Cathay Pacific on Wednesday. It was for a data breach that occurred between October 2014 and May 2018, affecting 9.4 million users.
Cathay Pacific Given Maximum Pre-GDPR Fine
The ICO concluded that Cathay Pacific’s systems were breached due to “negligence,” with malware used to harvest a variety of personal data. This included: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information. The investigation found a number of huge errors had been made, including not protecting back-up files with passwords, leaving internet-facing servers unpatched, continuing to use operating systems that were no longer being supported by the developer, and not having sufficient anti-virus protection in place.
Steve Eckersley, ICO Director of Investigations, said:
This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.
Despite this, the ICO accepted that Cathay Pacific “acted promptly and forthrightly” after becoming aware of a brute force attack in March 2018. It hired a cybersecurity firm and informed the ICO. Furthermore, the airline “went above and beyond its legal duties” in informing victims and co-operating with the investigation.
As the incident occurred before the introduction of GDPR, the ICO investigated it under older legislation. The £500,000 fine was as big as it could issue under those laws.
Charlotte:
Sadly, yours truly is likely amongst those Cathay clients whose data was stolen.
This illustrates, yet again, that despite the best practices one might follow in security regimens in one’s own life, an individual can nonetheless suffer multiple incidences, none by their own making, to have their vital data stolen by actors whose intentions, while unknown, cannot be good.
This is beyond unacceptable; it is non-sustainable. The data that professional thieves, state sponsored or private, are stealing can be used to leverage access to even more data and assets, or be weaponised to inflict real harm (eg using vital data to open apparently legitimate online social media and bank accounts in order to support political campaigns and influence national elections, launder money, engage in multiple fraudulent acts), despite an individual taking every precaution to safeguard their most precious personal asset – their identity.
It is past time that there are set industry standards that any organisation, if it is to request, require or retain personal data, must demonstrate and maintain in order to qualify for a licence to obtain and hold such data, under supervision of a regulatory agency that can impose punishing penalties severe enough that they can be company life altering or even extinguishing – rather like a prison sentence to an individual, the severity of which is attenuated to the severity of the offence.
There is nothing more feared than the unknown. Having one’s data harvested by unknown parties for an unknown purpose to be executed at an unknown time with an unknown consequence to oneself surely qualifies as a cause for fear and a vulnerability that our elected representatives, themselves equally vulnerable, should rise to quash.
That such regulation has not yet been imposed, given the repeated violations to individual and societal life, is tantamount to legislative criminal malpractice.