Cathay Pacific has been issued with a fine of £500,000 by the British Information Commissioner's Office (ICO).
The airline's systems were found to have been hacked, exposing personal data including names, passport details, dates of birth, phone numbers, addresses and travel history of more than 9.4 million people which included 111,578 Brits.
According to the ICO, the Hong Kong-based airline did not have appropriate security measures in place between October 2014 and May 2018, and only became aware of the exploit three years later when the hackers tried a brute force password-guessing attack.
- Slickwraps hit by customer data breach
- US Defence agency reports data breach
- Protecting manufacturing from cyber breaches
The fine is the maximum possible penalty that the watchdog could impose on the airline for failing to protect user data.
The ICO investigation revealed "a catalogue of errors" which resulted in the breach. This included backups without encryption or password, continued usage of the un-patched internet-facing server even after a known vulnerability, usage of an unsupported operating system and inadequate anti-virus protection.
“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here,” said Steve Eckersley, ICO director of Investigations.
The system was found to have several deficiencies that were well below standards, and the airline was not able to satisfy four out of five basic guidance points of the National Cyber Security Centre, Eckersley added.
Reports suggest that the penalty was decided according to the Data Protection Act 1998, instead of the new GDPR policies "due to the timing of the incidents in this investigation." This resulted in a fine of just £500,000, however, under the newer policies, the airline would have faced a hefty penalty of approximately four percent of its global turnover, equivalent to around £470 million.
Cathay Pacific in its statement said it would. "once again like to express its regret, and to sincerely apologise for this incident."
"Substantial amounts have been spent on IT infrastructure and security over the past three years and investment in these areas will continue," it added.
- Protect your devices with the best antivirus software packages