INSUBCONTINENT EXCLUSIVE:
personal data.The UK watchdog said the airline's computer systems had exposed details of 111,578 UK residents and a further 9.4 million
people from other countries.These included names, passport details, dates of birth, phone numbers, addresses and travel history."Appropriate
security" was not in place between October 2014 and May 2018.The ICO said Cathay Pacific became aware of a problem in March 2018, when it
suffered a "brute force" password-guessing attack
The Hong Kong-based firm reported this to the ICO
The regulator said it subsequently uncovered "a catalogue of errors" during a follow-up investigation, including:back-up files that were not
password protectedinternet-facing servers without the latest patchesoperating systems that were no longer supported by the
developerinadequate anti-virus protectionAt least one attack involved a server with a known vulnerability - but the fix was never applied,
despite having been public knowledge for more than 10 years
Steve Eckersley, the ICO's director of investigations, said there were "a number of basic security inadequacies across Cathay Pacific's
system, which gave easy access to the hackers".The airline failed four out of five of the basic cyber-essentials guidance from the National
Cyber Security Centre, he added.By Joe Tidy, Cyber-security reporterI'm told investigators were extremely concerned by the failures they
It paints a picture of a company that did not take security of personal data seriously, and today's fine will be a wake-up call to them
It is, however, only a pittance compared to what it could have been if the hack had occurred more recently
New GDPR rules have increased the potential maximum fine, and it's clear the failures here would have warranted a far more severe
But both fines were delayed until later this year.The ICO said that Cathay Pacific had acted promptly once it became aware, and sought
expert help from a top cyber-security firm, and had also contacted affected customers.The report also noted there were no confirmed cases of
the personal data being misused - but that it was very likely it would be in future.In a statement about the fine, Cathay Pacific said it
"would once again like to express its regret, and to sincerely apologise for this incident".It said "substantial amounts" of money had been
spent on security in the past three years."However, we are aware that in today's world, as the sophistication of cyber-attackers continues
to increase, we need to and will continue to invest in and evolve our IT security systems."
