UK’s Information Commissioner’s Office (ICO) has found Hong Kong-based air carrier Cathay Pacific guilty on various counts of data breach reported by the latter in 2018. Owing to this, Cathay Pacific has been asked to pay a data breach fine of £500,000 (approx. US$640,000) by March 13, 2020.
Cathay Pacific Data Breach
Cathay Pacific collects and stores flyers’ data including their names, passport numbers, contact details, date of birth and nationalities for official use. Additionally, they also store information of its frequent flyer loyalty program that includes membership numbers, previous travel and customer support interaction information.
Cathay Pacific discovered the data breach in March 2018 when one of its database was targeted with a brute force attack. It immediately assigned a cybersecurity firm to investigate into the cyberattack. While investigating the root cause and the threat actors involved in the brute force attack, the cyber forensic experts subsequently unearthed a much greater data breach.
According to the ICO’s report, between October 15, 2014 and May 11, 2018, Cathay Pacific’s computer systems didn’t have adequate security measures. This led to the compromise of approximately 9.4 million worldwide customers’ personal details of which 111,578 were from the U.K.
The air carrier officially reported the data breach episode to the IOC only on October 25, 2018, after analyzing the compromised data and the extent of the breach. Meanwhile, it also set up customer care services and precise and accurate notifications for every individual telling them of exactly what data was leaked.
IOC’s Verdict
IOC said that the breach affected Cathay Pacific’s four databases: customer database, membership details database, web applications’ back-end database and transient database used by Asia Miles members for award points redemption. After analyzing all these breaches and their corresponding causes, the commissioner found Cathay Pacific violating the Data Protection Principle (DPP7) on multiple counts. These include unencrypted database backups, security patches were not applied to known server vulnerabilities, unrestricted admin-level access through public internet, an unsupported operating system on one of the compromised server/systems, lack of two-factor/multi-factor authentication (2FA/MFA), and inadequate penetration testing, among others.
Although the £500,000 (approximately US$640,000) is huge, the IOC has also suggested a 20% reduction in the total penalty amount which brings it down to £400,000 (approximately US$516,000) if Cathay Pacific pays the data breach fine latest by March 12, 2020.