Reflection of surrounding buildings on RPC's building.

ICO issues monetary penalty notice against Cathay Pacific for data breach

Published on 02 June 2020

When is the ICO likely to impose its maximum fine for a data breach?

The key takeaway

The costs of getting IT systems right can appear relatively light when compared to the fines, claims and reputational damage that a business can be exposed to from a data breach. 

The background

Cathay Pacific (Cathay) is an airline headquartered in Hong Kong. Cathay conducted its UK operations out of an office in Hammersmith. The servers used by the office held customer data including names, dates of birth, passport numbers, nationalities and loyalty programme data. In October 2014 Cathay’s systems were accessed by an unauthorised third party in the start of a 3.5 year cyber-attack. The data of more than 9.4 million data subjects was affected. Cathay self-reported the attack to the ICO on 25 October 2018. More than 12,000 customers have since submitted complaints to Cathay. 

Cathay’s London office qualifies as an establishment and brings it within the scope of the Data Protection Act 1998 (DPA 1998). Under the DPA 1998, data controllers are required to comply with a number of data protection principles. Data Protection Principle 7 (DPP7) requires that the data controller takes appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to personal data. 

The development

The ICO found that Cathay Pacific was in breach of DPP7 based on the following: 

  • databases were not encrypted: Cathay had failed to comply with its own policies
  • the internet-facing server was potentially accessed via a publicly available vulnerability: Cathay’s systems had not picked this up despite the vulnerabilities having been published on the Common Vulnerabilities and Exposures system in 2007
  • the administrator console was publicly accessible via the Internet: the console should only have been accessible to Cathay employees and authorised third parties
  • Server A was hosted on an operating system that was no longer supported: as a result, security updates were no longer available
  • Cathay could not provide evidence of server hardening: unnecessary applications and services had not been removed in accordance with Cathay policy
  • network users were permitted to authenticate without multi-factor authentication: a simple authentication process made access easier for unauthorised third parties
  • the anti-virus protection was inadequate: there was no anti-virus software installed on some of the servers
  • patch management was not carried out regularly: the logs showed periods of time where security updates and patching were not completed
  • forensic evidence was not preserved for the ICO’s further review
  • accounts were given inappropriate privileges: several of the compromised accounts unnecessarily had full administrator rights
  • penetration testing was inadequate: some servers had not been penetration tested for three years
  • retention periods were too long: for example, the loyalty scheme data was held indefinitely and was only deleted after seven years of inactivity. 
The ICO found that the breaches on the part of Cathay were particularly serious because of the large number of individuals affected and the long period over which they had taken place, as well as the potential for fraud to be carried out using the data obtained. The breaches were likely to have caused substantial distress or harm to data subjects. The ICO also found that Cathay had been negligent in its actions by failing to follow its own procedures and to remedy ongoing issues. Whilst Cathay had acted to improve its systems and help the ICO once the inadequacies had been identified, this was to be expected of an organisation of its size. The ICO issued the maximum Monetary Penalty Notice available under the DPA 1998 (£500,000). 

Why is this important?

The ICO can issue fines under DPA 1998 or the GDPR (depending on the timing of the breach) whether or not a business is headquartered in the UK. Those with a presence in the UK or an EU member state have no option but to invest properly in data protection compliance if their senior management want to sleep soundly at night, particularly given the scale of fines now available to the
ICO and other European regulators under the GDPR. 

Any practical tips?

Share this snapshot with your IT Director!  Understanding where others have failed in data security processes help focus the collective mind and, could trigger an internal investigation which (under the GDPR's increased fining regime) could literally save your business millions.