ICO Fine Cathay Pacific £500,000 for failing to protect customers’ data

On the 4th March 2020 the ICO reported that they will fine Hong-Kong based airline Cathay Pacific £500,000 for failing to protect customer’s personal data – under the data protection act. 

The ruling is the result of an investigation by the ICO into Cathay Pacific following a high-profile data-breach which exposed the personal details of 9.4 million customers — 111,578 of whom were from the UK.

The ICO found that Cathay Pacific was in breach of the Data Protection Act based on a number of weak cybersecurity measures. On their website, they mention a wide range of cybersecurity lapses that Cathay Pacific faced, including unencrypted databases, inadequate anti-virus software, inconsistent patch management, failing to apply security updates and inappropriate access privileges.

The ICO also report that Cathay Pacific had data retention periods that were too long. For example with their loyalty card programme, which held data indefinitely, unless there was seven years of inactivity.

Another issue was that some forensic evidence was not properly preserved for the ICO to make a full review.

As reported on the ICO website: Steve Eckersley, ICO Director of Investigations, said:

“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.

“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.

“Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”

In effect due to the timing of the breach Cathay Pacific have escaped a much larger fine. 

Under the GDPR, which covers data protection cases from 25th May 2018 date, firms can be fined up to €20 million or 4% of annual global turnover.

However, because the data processing in this case occurred before GDPR became enforceable, Cathay Pacific are only subject to a fine under the Data Protection Act. Of which the financial penalties are significantly more lenient than the current GDPR & DPA18 legislation.

Cathay Pacific have since made changes to their data protection practices. This this is particularly evident on their website, where detailed opt-in boxes accompany many of their marketing activities. 

However it appears that Cathay Pacific are now casting the net wide with regards to what data they can collect on their users. 

Their privacy policy, as of 29th July 2020 lists “your use of our inflight entertainment system and inflight connectivity, your images captured via CCTV in our airport lounges and aircraft” as some of the data they collect. 

It appears that surveillance capitalism extends to the skies.


⚠️ Try our free GDPR course. Section 1 and Section 2 available now, sign up and start learning immediately.