The Information Commissioner's Office (ICO), UK, has imposed a penalty of £500,000 on Cathay Pacific Airways for failing to secure personal data of its customers.
“Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed, 111,578 of whom were from the UK, and approximately 9.4 million more worldwide,” said the ICO announcement.
“The airline’s failure to secure its systems resulted in the unauthorised access to their passengers’ personal details including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information,” it added.
The regulator listed a litany of errors on the Hong-Kong flag carrier’s side, including back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.
A minimum of one attack used a server that harboured a known vulnerability but was not patched for more than 10 years despite the knowledge of its existence. Hong Kong’s Privacy Commissioner last year found the airline guilty of a low regard for data privacy and delay in disclosing the 2018 breach.
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected,” said Steve Eckersley, ICO Director of Investigations, in the announcement.
“At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”
In a statement about the penalty, the carrier said it "would once again like to express its regret, and to sincerely apologise for this incident".
The situation is as simple as not doing the basics, commented Adam Vincent, CEO of ThreatConnect.
“Organisations must understand the importance of good security and the value that a culture of security brings to the business. This starts with understanding security requirements and processes so businesses can ensure the right professionals and solutions are in place. Companies can then start to build a better understanding of the adversaries they are facing,” he said.
“Just as you wouldn't fail to do thorough research on your business rivals, why would you neglect to learn about the people trying to breach your systems? Companies should ensure a feedback loop exists within a business, where intelligence about threats constantly feeds operations and insights garnered from operations are fed back into the intelligence.”
On the other side, cyber-criminals are becoming more sophisticated, and organisations need to demonstrate they are serious about protecting customer data, keeping their business secure, and developing intelligence-driven security operations to minimise the threats they face, he added.
“Organisations continue to have an issue with large-scale data breaches and leaks of sensitive information from their databases, so it is vital that security teams regularly assess database security and ensure best practise is being followed,” observed Francis Gaffney, director of threat intelligence at Mimecast.
“Mistakes such as this one can easily be avoided and have massive repercussions, both financially and from a reputational perspective. To prevent these mistakes, IT teams must ensure they understand their environment and know exactly where data is being stored at all times. This will enable them to identify any vulnerabilities easily and fix any issues swiftly.”
For faster mitigation of a cyber-incident, it is important to have a detailed plan that is tested and updated regularly, Gaffney noted.
“By doing this, if an organisation does suffer some sort of incident, it can respond quickly and effectively to minimise the damage. In this particular case, the information leaked could be used in everything from sophisticated impersonation attacks to committing fraud by opening up cloned bank accounts and identity fraud.”
Many of Cathay’s errors would have continued undiscovered, had they not had a third-party evaluation of their systems, observed Cesar Cerrudo, CTO at IOActive.
“As it took place before the GDPR came into effect, the company has gotten off lightly with a £500k fine – which is the maximum penalty under the 1998 Data Protection Act. Companies who find themselves in the same situation today could face a fine of up to four percent of annual global turnover or €20 million (£17 million), whatever is higher, which is more likely to put a serious financial strain on any organisation.”
The company statement claims that "substantial amounts" of money had been spent on improving security in the past three years.
"However, we are aware that in today's world, as the sophistication of cyber-attackers continues to increase, we need to and will continue to invest in and evolve our IT security systems," it added.