Cathay Pacific has been fined half a million pounds by the UK’s data watchdog for a data breach following the entry into force of the EU’s General Data Protection Regulation (GDPR) in 2018,media reported. The breach is understood to have exposed the personal details of some 9.4 million customers worldwide, including 111,578 from the UK. After months of investigation, the Information Commissioner’s Office (ICO) today formally announced the punishment.
Media pointed out that this could be the maximum fine imposed under UK law and related to the airline’s data breach in the autumn of 2018.
Cathay Pacific said at the time that it first discovered unauthorized access to its systems in March, but did not explain why it took so long to make it public.
The breach resulted in the disclosure of passenger details, including sensitive information such as name, passport, date of birth, email address, phone number, and historical travel.
The ICO said today that unauthorized access to Cathay Pacific’s systems dates back to October 14, 2014. The earliest recorded for known snooping on personal data was February 7, 2015.
“The ICO found that Cathay Pacific’s systems were accessed through servers connected to the Internet and installed malware to collect data,” the regulator wrote in a press release.
During the investigation, regulators noted a number of errors and omissions, including failure to password protect files, failure to patch Internet-facing servers, the use of an operating system that was no longer supported, and inadequate anti-virus measures.
The ICO’s penalties for Cathay Pacific are clear, and the UK has incorporated the EU’s GDPR framework into the country’s laws, taking stricter disciplinary measures against offences involving personal data.
Data controllers with operations on the ground are required to notify the UK’s national regulator within 72 hours of being aware of a breach of the law.
In addition, the GDPR includes a stricter penalty system that can be up to 4% of the world’s annual turnover. However, Cathay Pacific would face a more severe impact because the ICO set the amount of the fine under previous UK data protection regulations before the new rules came into force.
Last summer, British Airways, which was exposed to a security breach, was fined 1.5 per cent a year by the ICO for leaking data on 500,000 passengers after the GDPR came into force.