Cathay Pacific Airways Limited have been fined £500,000 for failure to protect customers’ personal data

The Information Commissioner’s Office (ICO) has fined the airline company £500,000 for failing to secure its customers’ personal data. Cathay Pacific’s computer systems failed to implement appropriate security measures which led to the personal data of 111,578 UK residents being exposed and a further 9.4 million people internationally. The personal data exposed included names, dates of birth, passport details, addresses, phone numbers and travel history. The airline first became aware of suspicious activity in March 2018 when incidences of attempted hacking occurred, whereby hackers tried to enter the database by guessing passwords and phrases. This was described as a “brute-force” attack and led to Cathay Pacific employing a cybersecurity firm which subsequently discovered numerous errors and reported them to the ICO. The errors discovered included: back-up files that were not password protected; insufficient anti-virus protection; internet-facing servers without the latest patches and the use of operating systems that were no longer supported by the developer.

Following the implementation of GDPR in May 2018, enhanced UK and European data protection laws have come into force. However, due to the timing of Cathay Pacific’s breaches, the ICO investigated this case under the Data Protection Act 1998. The ICO found that Cathay Pacific had breached Principle 7 of the Data Protection Act 1998 which provides that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data”. The fine of £500,000 is the maximum amount possible under the 1998 Act. However, under GDPR, a company can be fined up to €20 million or 4% of their global annual turnover of the preceding year, whichever is greater, for severe violations. Therefore, companies need to ensure that they comply with GDPR and have sufficient mechanisms in place to protect personal data in order to be compliant with the law and to avoid fines. Overtime, it is highly likely that we will see the number of fines being imposed increase in correlation with the increase in the daily rate of breach notifications, which has increased from 247 notifications per day (the average during the first eight months of GDPR) to approximately 278 breach notifications per day.

If you require legal assistance regarding GDPR, then please do not hesitate to contact Christopher Buck, Associate Partner in our Business Services team on 01908 660966 / 01604 828282 or email BusinessServices@franklins-sols.co.uk.