UK’s ICO Fines Cathay Pacific £500,000 for 2018 Breach
The UK’s data protection watchdog has issued the maximum possible fine to Cathay Pacific in response to a major breach at the Asian airline which resulted in the compromise of millions of customers’ data.
The £500,000 penalty from the Information Commissioner’s Office (ICO) comes under the old Data Protection Act 1998, which was superseded by the GDPR, and its UK version the Data Protection Act 2018.
Over 111,000 of the Hong Kong airline’s 9.5 million global passengers were from the UK. The ICO judged that between October 2014 and May 2018 insufficient security measures were put in place, enabling hackers to compromise an internet-connected server and install data harvesting malware in the 2018 breach.
Specifically, it called out a “catalog of errors” including: back-up files that weren’t password protected unpatched internet-facing servers, inadequate AV and use of unsupported operating systems.
“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here,” said ICO director of investigations, Steve Eckersley.
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”
The size of the UK fine also shines a light on the inadequacies of Hong Kong’s domestic data protection regime.
It took Cathay Pacific seven months to report the incident, although it was under no legal obligation to do so at all. The privacy commissioner was also powerless to levy fines. The only option was an enforcement notice citing violation of privacy laws and an order that the firm improved its cybersecurity posture.
Even if the airline had failed to comply with the order, it would only have faced a fine of HK $50,000 ($6433).
The Special Administrative Region (SAR) of China is looking to update its privacy laws in line with the GDPR, to include major fines levied in the future as a percentage of global turnover.
source infosecuritymagazine
Industry: Cyber Security
Latest Jobs
-
- Senior Presales Consultant | Managed Security Services | London
- London
- N/A
-
Senior Presales Consultant – Managed Security Services Location: London-commutable (Hybrid) A well-established cyber consultancy is seeking a Senior Presales Consultant to drive growth across its managed security services / advisory portfolio. This hybrid role bridges commercial and technical expertise supporting solution design, shaping customer proposals, and guiding conversations from scoping through to delivery. Key experience: Background in managed security services, including SOC operations and threat detection Strong knowledge of cloud and on-prem security tooling (SIEM, EDR, IAM) Penetration testing Proven ability to translate technical concepts into clear business value Confident in customer-facing engagements and pre-sales delivery Experience contributing to bids, proposals, and RFI/RFP responses To find out more contact me on 07884666351 Visa sponsorship is unfortunately not available for this role.
-
- New Business | Cyber Security | Overlay sales (UK Based- London commutable)
- London
- N/A
-
New Business Sales Hunter needed | Cybersecurity (UK Based- London commutable) Are you looking for uncapped commission, a fun and sociable team that drives success with no politics? If so...You must Have a demonstrable history of sales success in Cyber Security Follow Weatons law. The role: Seeking a proven New Business Sales Hunter to join an established, successful and expanding team. New business focused - £500-750 GP Sell a blend of security services & professional services. Ideal experience selling some or all of the following Cyber strategy & risk management Managed detection & response (MDR) Penetration testing Compliance & audit support You: Strong cybersecurity/IT services sales track record. Confident selling into mid-market & enterprise. UK based - London commutable Hunter mindset, full sales cycle ownership. Don't just send an email to apply give me a call on 07884666351
-
- New Business Sales Hunter | Cyber Security (UK Based)
- London
- To attract the right person
-
New Business Sales Hunter needed | Cybersecurity (UK Based) Are you looking for uncapped commission, a fun and sociable team that drives success with no politics? If so...You must Be UK based - and able to achieve UK SC clearance. (sorry no visas) Have a demonstrable history of sales success in Cyber Security Follow Weatons law. The role: Seeking a proven New Business Sales Hunter to join an established, successful and expanding cyber security firm. New business focused - £1m GP year one target (ramped). Sell a blend of security services & professional services. Ideal experience selling some or all of the following Cyber strategy & risk management Managed detection & response (MDR) Penetration testing Compliance & audit support You: Strong cybersecurity/IT services sales track record. Confident selling into mid-market & enterprise. UK based - London commutable 1x per week. Hunter mindset, full sales cycle ownership. Don't just send an email to apply give me a call on 07884666351