ICO - Monetary penalty to Cathay Pacific Airways Limited

From GDPRhub
ICO (UK) -
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(f) GDPR
Section 7 Data Protection Act 2018 (DPA 2018)
Type: Investigation
Outcome: Violation Found
Decided: 10.02.2020
Fine: 500,000 GBP
Parties: Cathay Pacific Airways Limited
National Case Number/Name:
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: n/a

The ICO imposed a fine (monetary penalty) of GBP 500,000 on Cathay Pacific Airways Limited (“Cathay Pacific”), for failing to protect the security of its customers’ personal data. Respective investigation that led to said fine, was started on October 25th, 2018, after Cathay Pacific self-reported the data breaches in violation of Article 5(1)(f) GDPR. Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal data being exposed, 111,578 of whom were from the UK, and approximately 9.4 million more worldwide.

English Summary[edit | edit source]

Facts[edit | edit source]

The airline’s failure to secure its systems resulted in the unauthorised access to their passengers’ personal details including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information. Cathay Pacific became aware of suspicious activity in March 2018 when its database was subjected to a brute force attack, where numerous passwords or phrases are submitted with the hope of eventually guessing correctly. The incident led Cathay Pacific to employ a cybersecurity firm, and they subsequently reported the incident to the ICO. The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. Several errors were found during the ICO’s investigation including: back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.

Dispute[edit | edit source]

Although ICO considered that the contraventions were not deliberate, ICO held that they were negligent, as Cathay Pacific ought reasonably to have known that the contraventions would both (i) occur and (ii) be of a kind likely to cause substantial distress. ICO further held that Cathay Pacific failed to take responsible steps to prevent these contraventions. In reaching this view, ICO has had regard in particular to: the fact that in many instances Cathay Pacific was failing to follow its own policies; the fact that the best practices which were ignored were so fundamental; the availability of knowledge about the various vulnerabilities, whether via CVE or via notice from the service provider; and the fact that available controls were not implemented timeously or at all.

Holding[edit | edit source]

Although Cathay Pacific acted promptly and forthrightly since it became aware of the data breach, ICO reached the view that it was appropriate to issue a monetary penalty of GBP 500.000, given the following aggravating features: awareness on behalf of the data controller of risks posed by its own omissions, considering the long duration of the breach (3 years and 7 month), lack of best practice in retaining data following the breach, failure to chose the most secure technical settings, failure to efficiently control access to personal data, failure to apply most secure anti-virus/malware technology, failure to keep devices up to date.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English official version[edit | edit source]

No need for automated translation. Please refer to the original English decision for details.