On March 4, 2020, the UK Information Commissioner’s Office (“ICO”) fined the international airline Cathay Pacific Airways Limited (“Cathay Pacific”) £500,000 for failing to protect the security of its customers’ personal data. The fine was issued under the Data Protection Act 1998 (the “DPA”) and represents the maximum fine available. The ICO found that between October 2014 and May 2018, Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed. Of the approximately 9.4 million customers affected worldwide, 111,578 were from the UK.

Cathay Pacific first became aware of suspicious activity on March 13, 2018, when one of its databases was subjected to a brute force attack. This prompted Cathay Pacific to launch an investigation, and it engaged a leading cybersecurity firm to assist with the investigation. The investigation found that there had been unauthorized access to Cathay Pacific’s systems from at least October 15, 2014, until May 11, 2018. The breach compromised a variety of types of personal data (in different quantities), including passenger names, nationalities, dates of birth, phone numbers, email and postal addresses, passport and identity card numbers (119,714 passport numbers issued by European Economic Area member states), frequent flyer membership numbers, customer service remarks and historical travel information.

The ICO became aware of the breach when Cathay Pacific self-reported on October 25, 2018. Following the breach, Cathay Pacific received approximately 12,000 complaints from customers worldwide, while the ICO received two complaints. There have been no confirmed cases evidencing the misuse of personal data accessed by the attackers. However, the ICO noted that it is likely that ensuing social engineering phishing attacks using the data will be successful.

Following its investigation, the ICO concluded that Cathay Pacific breached the seventh data protection principle (now Article 5(1)(f) of the EU General Data Protection Regulation), requiring that appropriate technical and organizational measures be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Specifically, the ICO determined:

  • The database backups were not encrypted, contrary to Cathay Pacific’s own policy. Had Cathay Pacific followed its own policy, the attackers would not have been able to access any personal data.
  • One internet-facing server was accessible due to a known and publicized vulnerability that was exploited by the attackers. The vulnerability had been published via the Common Vulnerabilities and Exposures system on February 21, 2007, but Cathay Pacific did not apply the fix to the server, despite both the vulnerability and the fix being public knowledge for over 10 years.
  •  Cathay Pacific’s administrator console was publicly accessible via the internet, despite the fact that it should only have been accessible to authorized Cathay Pacific employees or authorized third party support teams. No risk assessment was conducted in respect of the risks of affording third party access via a publicly accessible website, despite this being required by Cathay Pacific’s third party access policy.
  • One of the compromised systems was hosted on an operating system that was (and is) no longer supported, meaning that security updates were no longer released to patch vulnerabilities. This represented a failure by Cathay Pacific to adhere to its IT Assets Lifecycle Management Policy, which requires hardware and software to be updated upon reaching its end-of-life.
  • Contrary to Cathay Pacific’s policy requiring all unused ports to be de-activated to avoid illegal access, it could not provide evidence of adequate server hardening for two of the compromised systems.
  • Approximately 41,000 network users were permitted to authenticate past the VPN using just a user ID and password, without multi-factor authentication. The ICO noted that if multi-factor authentication had been in operation, the attackers would have not been able to use stolen credentials to access the VPN and the breach would have been avoided. In September 2018, Cathay Pacific began using multi-factor authentication for all users.
  • One server that hosted a compromised system did not have anti-virus software installed due to compatibility issues with the operating system. Cathay Pacific was also unable to provide evidence that adequate anti-virus protection was in operation on one other server that hosted a compromised system.
  •  Cathay Pacific failed to provide evidence of up-to-date patch management for servers hosting two compromised systems. Patch management logs were provided for one server, which showed the relevant server was missing 16 security updates that resolved publicly known vulnerabilities.
  • Despite servers being forensically analyzed during Cathay Pacific’s (and the third party cyber security firm’s) investigation, it had failed to adequately preserve digital evidence which meant that forensic evidence was no longer available for the ICO’s investigation.
  • Several of the compromised accounts were members of the domain administrator group, which gave the attackers full control of the domain. Best practice (as outlined in Cathay Pacific’s privileged accounts standards) is to avoid this and adhere to the concept of “just enough administration” and “just in time administration.” The ICO noted that had Cathay Pacific adhered to best practice procedures and its own standards, it could have prevented the attackers from taking control of these privileged accounts.
  • Cathay Pacific was unable to provide evidence of when three of the compromised systems were last penetration tested. With respect to the other compromised systems, one had not been penetration tested for three years. The ICO considered this an inappropriately long period.
  • Retention periods were too long and, as a result, this led to more data being compromised as a result of the breach.

In determining whether a monetary penalty should be imposed, the ICO took into account a range of factors. Key considerations included: (1) the number of data subjects involved; (2) the nature of the processing; (3) the susceptibility of the compromised data to be used fraudulently; and (4) Cathay Pacific’s failures to follow its own policies or implement security measures that were known to be necessary. The ICO also considered that issuing a monetary penalty was an important deterrent against future contraventions of this nature, both by Cathay Pacific and other organizations.

When determining the amount of penalty to impose, the ICO took into account the following aggravating factors: (1) Cathay Pacific failed to follow its own policies, which demonstrated that they were aware of the risks; (2) the duration of the breach (3 years, 7 months); (3) Cathay Pacific did not follow best practice in retaining data following the breach which prevented the ICO from having a comprehensive picture of Cathay Pacific’s actions; and (4) Cathay Pacific’s failure to comply with several of the most fundamental principles of data security, including four out of five National Cyber Security Centre basic Cyber Essentials. The ICO also recognized significant mitigating factors, including that Cathay Pacific had acted promptly and forthrightly since becoming aware of the breach. In particular, the ICO noted that Cathay Pacific went “above and beyond its legal obligations in issuing appropriate information to data subjects and co-operating with the Commissioner’s investigation.”