Cathay Pacific Airways Limited has been fined £500,000 by the UK data protection regulator the Information Commissioner’s Office (ICO). The watchdog says that between October 2014 and May 2018 the airline’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed. Some 111,578 of whom were from the UK, and about 9.4 million more worldwide.
The airline’s failure to secure its systems resulted in the unauthorised access to their passengers’ personal details including: names, passport and other identity details, dates of birth, postal and email addresses, phone numbers and historical travel data, the ICO says. Cathay Pacific became aware of suspicious activity in March 2018 when its database was subjected to a ‘brute force’ cyber attack, where numerous passwords or phrases are submitted with the hope of eventually guessing correctly. The incident led Cathay Pacific to employ an unnamed cybersecurity firm, and they reported the incident to the ICO.
The cyber firm identified two separate groups of attackers. While the ICO says there are ‘no cases of confirmed misuse’ of the data taken, the regulator suggests that the data will be used in phishing attacks, using ‘social engineering’ methods to trick victims, by using such seemingly confidential info.
The ICO says Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. According to the regulator, a catalogue of errors were found, including: back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.
Steve Eckersley, ICO Director of Investigations, said: “People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here. This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.
“Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”
The ICO took this case under the Data Protection Act 1998; under that regime, before new data protection law came into force in 2018, the maximum penalty that the ICO could levy was £500,000. While the airline is based in Hong Kong, it has a company in London.
The ICO calls the breach a serious contravention of Principle 7 of the Data Protection Act 1998, which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data. Besides seeking assistance from a cyber firm, Cathay Pacific also issued appropriate information to those affected and co-operated with the ICO. For details of the case visit the ICO website.
Comments
Adam Vincent, CEO at ThreatConnect, said: “Organisations must understand the importance of good security and the value that a culture of security brings to the business. This starts with understanding security requirements and processes so businesses can ensure the right professionals and solutions are in place. Companies can then start to build a better understanding of the adversaries they are facing.
“Just as you wouldn’t fail to do thorough research on your business rivals, why would you neglect to learn about the people trying to breach your systems? Companies should ensure a feedback loop exists within a business, where intelligence about threats constantly feeds operations and insights garnered from operations are fed back into the intelligence. Cyber criminals are becoming more sophisticated. Organisations need to demonstrate they are serious about protecting customer data, keeping their business secure, and developing intelligence-driven security operations to minimise the threats they face.”
Cesar Cerrudo, CTO at IOActive says: “As it took place before GDPR came into effect, the company has gotten off lightly with a £500k fine – which is the maximum penalty under the 1998 Data Protection Act. This sum is a drop in the ocean compared to what it could have been.
“Companies can’t afford to stick their heads in the sand and ignore cyber security any longer. It’s absolutely vital to exercise good security hygiene, prioritise data protection and keep cyber resiliency in mind. This means looking at their processes from end-to-end, considering how devices and systems are being used, connected and who is using them, to truly get a strong gauge of their cybersecurity posture. Yet it is equally important to take a proactive approach and go out looking for threats, using third parties who can think like a hacker to really test your defences, so you are not caught off-guard. Ultimately, no business can ever be 100% secure; it’s all about understanding the threat surface, reducing your risk, and protecting the crown jewels – i.e. your customer data.”
