On March 6, 2020, Cathay Pacific Airways, Hong Kong’s flagship airline, was fined $970,000 for a data breach that exposed the personal information of 9.4 million passengers, including their names, passport details, dates of birth, phone numbers, addresses, and travel history, due to the company’s failure to protect this sensitive data.
the data breach incident
The massive security breach was first detected by Cathay Pacific in March 2018, when the company experienced a “brute force” password-guessing attack, which was immediately reported to the Information Commissioner’s Office. The ICO later found a “catalogue of errors” that contributed to the breach. In October 2018, the affected customers were informed about the hacking incident, which was attributed to the lack of appropriate security measures. Steve Eckersley, ICO’s director of investigations, stated that the Hong-Kong based carrier was found to have several inadequacies in its system that gave access to the hackers.
inadequate security measures
According to Eckersley, “The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.” This lack of adherence to basic security protocols is particularly concerning, given the sensitive nature of the data that was compromised. The fact that Cathay Pacific failed to implement adequate security measures to protect its customers’ personal data raises questions about the company’s commitment to data protection.
response and aftermath
Cathay Pacific has expressed its apologies for the incident and ensured that necessary upgrades on its I.T. infrastructure and security systems were already made after the leakage. A company spokesperson stated, “We will continue to co-operate with relevant authorities to demonstrate our compliance and our ongoing commitment to protecting personal data.” While this response is a step in the right direction, it is unclear whether the measures taken by Cathay Pacific will be sufficient to prevent similar breaches in the future. The company’s failure to protect its customers’ data has damaged its reputation and eroded trust among its customers.
regulatory implications
The fine imposed on Cathay Pacific is a reminder of the importance of data protection and the need for companies to prioritize the security of their customers’ personal data. The incident highlights the need for stricter regulations and enforcement to ensure that companies take data protection seriously. As companies continue to collect and store large amounts of personal data, it is essential that they implement robust security measures to protect this data from unauthorized access. The Cathay Pacific data breach incident is a warning to companies that fail to prioritize data protection, and it is likely that regulatory bodies will continue to crack down on companies that do not take data protection seriously.
The Cathay Pacific data breach incident is a stark reminder of the importance of data protection and the need for companies to prioritize the security of their customers’ personal data. The fact that the company failed to implement adequate security measures to protect its customers’ data is a serious concern, and the fine imposed on Cathay Pacific is a warning to companies that fail to take data protection seriously. As the use of personal data continues to grow, it is essential that companies take steps to protect this data from unauthorized access, and regulatory bodies must continue to enforce strict regulations to ensure that companies prioritize data protection.
