The U.K. Information Commissioner’s Office (ICO) has slapped aviation giant Cathay Pacific with a US$650,000 fine for failing to protect customer personal data.
As many as 9.4 million customers had their personal data compromised with information such as names, nationalities, passport details, and historical travel information breached.
The airline’s computer system had its first unauthorized access in October 2014. The airlines detected this 6 months later on February 2015 and upon remediation, this unauthorized access ended in May 2018.
However, the airlines only reported the breach to the ICO in October 2018. The ICO noted that the systems were infiltrated via a server connected to the internet, and malware was installed to harvest the data.
Upon further investigation, it was found that the breach was made possible by Cathay Pacific’s multiple data security deficiencies.
It did not stop there, in many instances, the airline did not comply with its own security policies. Despite being clearly stipulated, for example, their database backups were never encrypted.
Dashboards controlled by the administrator which is supposed to be only accessed by employees or authorized third parties, were publicly available and accessible via the internet. No any risk assessments were carried out.
In addition, some servers were left unpatched, anti-virus protection was severely inadequate and key operating systems were unsupported. Other offenses included lack of multi-factor authentication for VPN access, poor penetration system testing, and poor preservation of digital evidence.
The ICO noted that Cathay Pacific did not follow their own policies and was well aware of the gravity of a potential data breach.