Cathay Pacific fined over crooks slurping its database for over 4 years

The UK’s Information Commissioner’s Office (ICO) said on Wednesday that it’s fined Cathay Pacific Airways £500,000 (USD $647,015, €576,992) for failing to secure passengers’ personal details, leading to malware being installed on its server that harvested millions of people’s names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.

Cathay said at the time that the intruders also accessed 403 expired credit card numbers, as well as 27 credit card numbers that didn’t have a CVV attached.

This wasn’t a one-time security fail, the ICO said. All that data was at risk for over four years.

Cathay, which is based in Hong Kong, first realized in March 2018 that its database had been hit by a brute-force attack. As we’ve explained previously, you can think of such an attack like this:

→ Brute force is the way you open those cheap bicycle locks with wheels numbered 0 to 9 if you forget the code. You turn the dials to 0-0-0 and then click round systematically, counting up digit by digit, until the lock pops open.

Once it found that its database had been rifled through in 2018, Cathay Pacific hired a cybersecurity firm and subsequently reported the incident to the ICO.

Investigations found that the airline lacked appropriate security to secure customers’ data from October 2014 to May 2018. The data was exposed for longer than that, though: Cathay said in October 2018 that its system had been compromised at least seven months prior. As the New York Times reported, Cathay learned in May 2018 that passenger data had been exposed after first discovering suspicious activity on its network in March.

Why didn’t the company announce the breach earlier? It didn’t say.

The incident led to the exposure of a huge trove of personal data belonging to 111,578 people from the UK and about 9.4 million more worldwide.

The ICO says that Cathay Pacific’s systems were entered via a server connected to the internet. Enabled by what the office called a “catalog of errors,” crooks managed to install data-harvesting malware. The security sins turned up by the ICO’s investigation included some basic ones: for example, the ICO found back-up files that weren’t password-protected, unpatched internet-facing servers, use of operating systems that were no longer supported by the developer, and inadequate anti-virus protection.

Steve Eckersley, ICO Director of Investigations:

People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.

This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected.

The fine imposed on the company would have caused a lot more hurt if the breach had been discovered after the General Data Protection Regulation (GDPR) went into effect.

In July 2019, the ICO flexed its new GDPR muscles for real, imposing record fines on Marriott and British Airways (BA) for their data breaches. It said it was looking to fine BA a record £183.39 million (US $229.34 million at the time) for a breach discovered in September 2018. By diverting user traffic to a bogus site, attackers managed to steal personal data from about 500,000 customers, including their names, addresses, logins, payment card and travel booking details.

Marriott’s breach was similar to Cathay Pacific’s, given that attackers got into the company’s Starwood guest reservation database and stayed there for years: the unauthorized access started in 2014, and the breach was discovered and reported to the ICO in November 2018.

Though it escaped the weight of the GDPR hammer, the ICO Says that Cathay Pacific’s breach was “a serious contravention” of Principle 7 of the 1998 Data Protection Act, which states that “appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.”

For full details on the fine, check out the ICO’s Monetary Penalty Notice.


Latest Naked Security podcast

go top