March 5, 2020

UK regulator fines Cathay Pacific for data protection failures

On March 4, 2020, the UK Information commissioner’s Office announced that it had fined Cathay Pacific Airways Limited £500,000 pursuant to section 55A of the Data Protection Act 1998, for failing to protect its customers’ data.  Specifically, the ICO said that the airline did not have adequate security measures in place between October 2014 and May 2018, and that as a result, over 9 million customers’ personal information was exposed. 

According to the ICO, Cathay Pacific became aware of attempts by outsiders to enter its database in March 2018, and thereafter engaged a cybersecurity firm to investigate; the cybersecurity experts reported the suspicious activity to the ICO, which found that the airline’s systems had been penetrated earlier due to “a catalogue of errors,” including back-up files without password protection, unpatched internet-facing servers, operating systems no longer supported by the developer, and inadequate anti-virus protection.

Cathay Pacific is incorporated in Hong Kong, and operates a branch in the United Kingdom.  Due to the timing of the security incidents, the General Data Protection Regulation and the Data Protection Act 2018 do not apply.  The ICO found the airline’s security deficiencies to be a serious contravention of Principle 7 of the Data Protection Act 1998, which mandates the implementation of appropriate measures to protect against unauthorized process of personal data.  

ICO news release | Monetary Penalty Notice