On March 4, 2020, the UK Information Commissioner’s Office (“ICO”) fined the international airline Cathay Pacific Airways Limited (“Cathay Pacific”) £500,000 for failing to protect the security of its customers’ personal data. The fine was issued under the Data Protection Act 1998 (the “DPA”) and represents the maximum fine available. The ICO found that between October 2014 and May 2018, Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed. Of the approximately 9.4 million customers affected worldwide, 111,578 were from the UK.
Cathay Pacific first became aware of suspicious activity on March 13, 2018, when one of its databases was subjected to a brute force attack. This prompted Cathay Pacific to launch an investigation, and it engaged a leading cybersecurity firm to assist with the investigation. The investigation found that there had been unauthorized access to Cathay Pacific’s systems from at least October 15, 2014, until May 11, 2018. The breach compromised a variety of types of personal data (in different quantities), including passenger names, nationalities, dates of birth, phone numbers, email and postal addresses, passport and identity card numbers (119,714 passport numbers issued by European Economic Area member states), frequent flyer membership numbers, customer service remarks and historical travel information.
The ICO became aware of the breach when Cathay Pacific self-reported on October 25, 2018. Following the breach, Cathay Pacific received approximately 12,000 complaints from customers worldwide, while the ICO received two complaints. There have been no confirmed cases evidencing the misuse of personal data accessed by the attackers. However, the ICO noted that it is likely that ensuing social engineering phishing attacks using the data will be successful.
Following its investigation, the ICO concluded that Cathay Pacific breached the seventh data protection principle (now Article 5(1)(f) of the EU General Data Protection Regulation), requiring that appropriate technical and organizational measures be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Specifically, the ICO determined:
- The database backups were not encrypted, contrary to Cathay Pacific’s own policy. Had Cathay Pacific followed its own policy, the attackers would not have been able to access any personal data.
- One internet-facing server was accessible due to a known and publicized vulnerability that was exploited by the attackers. The vulnerability had been published via the Common Vulnerabilities and Exposures system on February 21, 2007, but Cathay Pacific did not apply the fix to the server, despite both the vulnerability and the fix being public knowledge for over 10 years.
- Cathay Pacific’s administrator console was publicly accessible via the internet, despite the fact that it should only have been accessible to authorized Cathay Pacific employees or authorized third party support teams. No risk assessment was conducted in respect of the risks of affording third party access via a publicly accessible website, despite this being required by Cathay Pacific’s third party access policy.
- One of the compromised systems was hosted on an operating system that was (and is) no longer supported, meaning that security updates were no longer released to patch vulnerabilities. This represented a failure by Cathay Pacific to adhere to its IT Assets Lifecycle Management Policy, which requires hardware and software to be updated upon reaching its end-of-life.
- Contrary to Cathay Pacific’s policy requiring all unused ports to be de-activated to avoid illegal access, it could not provide evidence of adequate server hardening for two of the compromised systems.
- Approximately 41,000 network users were permitted to authenticate past the VPN using just a user ID and password, without multi-factor authentication. The ICO noted that if multi-factor authentication had been in operation, the attackers would have not been able to use stolen credentials to access the VPN and the breach would have been avoided. In September 2018, Cathay Pacific began using multi-factor authentication for all users.
- One server that hosted a compromised system did not have anti-virus software installed due to compatibility issues with the operating system. Cathay Pacific was also unable to provide evidence that adequate anti-virus protection was in operation on one other server that hosted a compromised system.
- Cathay Pacific failed to provide evidence of up-to-date patch management for servers hosting two compromised systems. Patch management logs were provided for one server, which showed the relevant server was missing 16 security updates that resolved publicly known vulnerabilities.
- Despite servers being forensically analyzed during Cathay Pacific’s (and the third party cyber security firm’s) investigation, it had failed to adequately preserve digital evidence which meant that forensic evidence was no longer available for the ICO’s investigation.
- Several of the compromised accounts were members of the domain administrator group, which gave the attackers full control of the domain. Best practice (as outlined in Cathay Pacific’s privileged accounts standards) is to avoid this and adhere to the concept of “just enough administration” and “just in time administration.” The ICO noted that had Cathay Pacific adhered to best practice procedures and its own standards, it could have prevented the attackers from taking control of these privileged accounts.
- Cathay Pacific was unable to provide evidence of when three of the compromised systems were last penetration tested. With respect to the other compromised systems, one had not been penetration tested for three years. The ICO considered this an inappropriately long period.
- Retention periods were too long and, as a result, this led to more data being compromised as a result of the breach.
In determining whether a monetary penalty should be imposed, the ICO took into account a range of factors. Key considerations included: (1) the number of data subjects involved; (2) the nature of the processing; (3) the susceptibility of the compromised data to be used fraudulently; and (4) Cathay Pacific’s failures to follow its own policies or implement security measures that were known to be necessary. The ICO also considered that issuing a monetary penalty was an important deterrent against future contraventions of this nature, both by Cathay Pacific and other organizations.
When determining the amount of penalty to impose, the ICO took into account the following aggravating factors: (1) Cathay Pacific failed to follow its own policies, which demonstrated that they were aware of the risks; (2) the duration of the breach (3 years, 7 months); (3) Cathay Pacific did not follow best practice in retaining data following the breach which prevented the ICO from having a comprehensive picture of Cathay Pacific’s actions; and (4) Cathay Pacific’s failure to comply with several of the most fundamental principles of data security, including four out of five National Cyber Security Centre basic Cyber Essentials. The ICO also recognized significant mitigating factors, including that Cathay Pacific had acted promptly and forthrightly since becoming aware of the breach. In particular, the ICO noted that Cathay Pacific went “above and beyond its legal obligations in issuing appropriate information to data subjects and co-operating with the Commissioner’s investigation.”
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code