British airline company, Cathay Pacific, has been handed a £500,000 fine by the UK Information Commission Office (ICO). This over a 2018 breach.
The UK Information Commission Office (ICO) has handed down another fine. This time, it is against the airline company Cathay Pacific. The company was fined £500,000 over a data breach that occurred in 2018. At the time, 9.4 million customers were exposed after hackers broke into their services. From TechCrunch:
Cathay Pacific has been issued a £500,000 penalty by the UK’s data watchdog for security lapses which exposed the personal details of some 9.4 million customers globally — 111,578 of whom were from the UK.
The penalty, which is the maximum fine possible under relevant UK law, was announced today by the Information Commissioner’s Office (ICO), following a multi-month investigation. It pertains to a breach disclosed by the airline in fall 2018.
At the time, Cathay Pacific said it had first identified unauthorized access to its systems in March, though it did not explain why it took more than six months to make a public disclosure of the breach.
The failure to secure its systems resulted in unauthorised access to passengers’ personal details, including names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.
While it is the maximum allowable fine under UK law, the company is no doubt feeling quite lucky with such a fine. This is because it could have been a heck of a lot worse. Under the General Data Protection Regulation (GDPR), companies could face a fine equivalent to a percentage of annual global turnover should they be found to have failed to properly secure their data or fail to disclose such information properly to authorities.
Ultimately, this could be seen as a warning shot to other companies who feel like they can simply skimp out on security measures. If you feel like this is something that will never happen to you and you simply choose to try and cut costs in this area, you are treading on thin ice at this point. This is because the GDPR also came into force in 2018. As this breach took place in 2018, it suggests that authorities are getting rather close to wrapping up investigations that occurred pre-GDPR. We’ll probably never know how many are left that occurred pre-GDPR at this point.
Of course, for an airline company, this fine doesn’t exactly come at the most convenient time. With fears of COVID-19 all over the place, governments around the world are already asking citizens travelling abroad to come home. In addition to that, a number of countries are restricting movements to citizens only. This will no doubt take a bit out of profits. With companies already running to the government with cap in hand for bailouts and fears of a global recession (or worse) on the horizon, the airline industry is no doubt witnessing the much talked about rainy day. So, already, what is happening these days can be seen as a test on how well the companies were able to prepare for something like this.
With this fine being handed out now, hopefully the message of not skimping out on security has been received. While the timing may be awkward, does the company really have anyone to blame but themselves over what happened?
Drew Wilson on Twitter: @icecube85 and Facebook.