The Information Commissioner’s Office (ICO), the UK’s privacy watchdog, has fined airline Cathay Pacific £500,000 for a serious breach of the Data Protection Act.
The flag carrier of Hong Kong was hacked on or before the 15th of October 2014, but it did not become aware of suspicious activity on its network until the 13th of March 2018 when it was subjected to a brute force attack on its Active Directory database.
The attack originated from an IT service provider’s server, which provided support to Cathay Pacific. On discovery of the attack, the airline tasked an independent third party with investigating the matter. Varying tactics, techniques and procedures involved in the breach led investigators to conclude that two separate attackers had breached Cathay Pacific’s systems.
Systems breached included a reporting tool that compiles reports on a number of different databases, including its customer database; a system used for processing and recording the membership details of data subjects in the airline’s member group; a shared back-end database primarily used to support web-based applications; and a transient database that allows Asia Miles members to redeem non-air awards. In total, 9.4 million data subjects were affected by the data breach.
The airline reported the breach on the 25th of October 2018, claiming that several months were required to analyse the data, fully understand the impact of the hack and put adequate customer service resources in place to deal with the aftermath. About 12,000 customers around the world lodged complaints with the airline over the breach.
A spokesperson for the ICO said: “There have been no cases of confirmed misuse of the personal data accessed by the attackers. However, given the nature of the information, including passport numbers, it’s likely that social engineering phishing attacks against those data subjects will be successful in the future, as the confidential information can be used to convince victims of legitimacy.”
Upon investigating Cathay Pacific’s data security set-up and response to the attack, the ICO said it found numerous deficiencies.
- Five of the Biggest Data Breach Fines Issued by the ICO
- Tech Nation Reveals Scottish Nominees for Rising Stars Competition
- EU Agency for Cybersecurity Publishes Smart Car Security Report
It surmised that Cathay Pacific’s back-up files were not password protected, internet-facing servers were without the latest patches, operating systems were no longer supported by the developer, and there was inadequate anti-virus protection.
The ICO said it was “satisfied” that the contraventions identified are ” serious”, due to the large number of data subjects affected, the types of personal data that were compromised, the long duration of the breach and the number of failings identified.