Home Cyber Attack Cathay Pacific Airline Punished With £500,000 Fine Over 2018 Data Breach

Cathay Pacific Airline Punished With £500,000 Fine Over 2018 Data Breach

by Abeerah Hashim
Cathay Pacific punished over breach

Cathay Pacific has recently been punished over a 2018 data breach. For the incident that affected 9.4 million customers, the UK ICO has imposed a fine of £500,000 on the airline.

Recap of Cathay Pacific Breach

In October 2018, the famous airline Cathay Pacific disclosed a huge data breach affecting millions of its customers. The incident reportedly affected around 9.4 million customers globally, including 111,578 individuals from the UK only.

According to the UK ICO penalty notice, the breach gained initial attention in May 2018 and was found to have been going on for at least four years. The breach affected four different airline systems. These include the reporting tool, the system for processing and recording data, a shared backend database, and a transient database.

During the breach, the attackers succeeded in pilfering important details about the customers including credit card numbers.

ICO Imposed £500,000 Fine

Recently, the UK ICO has punished Cathay Pacific for failing to protect the security of customers’ data. Specifically, they highlighted numerous security flaws at the airline’s end that led to the breach.

At first, they mentioned the lack of encryption of the database backups that gave access to unauthorized users. Secondly, a known yet unpatched vulnerability existed in their internet-facing servers. There were other major vulnerabilities such as inadequate antivirus protection, inadequate patch management, inadequate server hardening, inappropriate privileges to accounts, and others.

Considering all the anomalies that allowed hackers to pilfer users’ data, causing distress to affectees, the UK ICO has fined the airline with a hefty amount of £500,000.

Since the breach took place before the imposition of the new GDPR rules, the fine imposed is the maximum applicable penalty under the previously implemented Data Protection Act 1998. Had the incident happened later, the airline may have received more severe penalties for the breach.

Let us know your thoughts in the comments.

You may also like