The UK’s Information Commissioner’s Office (ICO) has fined Cathay Pacific for “a number of basic security inadequacies” which resulted in hackers stealing the data of 9.4 million people worldwide – including 111,578 from the UK.
In October 2018, the Hong Kong-based airline admitted that hackers had broken into its internal systems and accessed passenger data – including names, nationalities, dates of birth, phone numbers, email addresses, postal addresses, passport details, frequent flier numbers, and historical travel information.
However, it is now known that the security breach had been going on since at least 15 October 2014, and was only identified in May 2018 after Cathay Pacific became aware of a brute force attack against its Active Directory database.
A subsequent investigation determined that there had been two separate groups of attackers, one of which had managed to install password-stealing malware and use the stolen credentials to access admin systems.
Cathay Pacific only informed the ICO of the security breach five months later, on 25 October 2018, saying that it had taken several months to analyse the data and fully understand the impact of the breach.
The airline’s share price fell following criticism that it had taken too long to come clean about the hack.
Amongst Cathay Pacific’s failures, according to the ICO, were that the company had failed to encrypt database backups containing personal data, that the airline had failed to patch an internet-facing server against a vulnerability that had been public knowledge for over 10 years, and that out-of-date no-longer-supported operating systems were being used on servers processing sensitive data.
In addition the ICO noted that some 41,000 users were able to access Cathay Pacific’s VPN with just a username and password, with no additional authentication required:
“If Cathay Pacific had required MFA for every user, the attackers would not have been able to use the stolen credentials to access the VPN and the data breach would have been avoided.”
In September 2018, Cathay Pacific began rolling out multi-factor authentication (MFA) across all users. Which is a good thing, of course, but really should have happened much sooner.
The ICO has today announced it is fining Cathay Pacific £500,000 – with a 20% reduction to £400,000 if the penalty is paid by 12 March 2020.
Cathay Pacific is not the only airline to find itself in the spotlight of data watchdogs. In July last year it was revealed tha British Airways was facing a £183 million fine from the ICO after travellers’ data was harvested by hackers.