Cathay Pacific fined $639,000 in U.K. over data-security lapses
INTERNATIONAL - Cathay Pacific Airways Ltd. was fined 500,000 pounds ($639,000) by the U.K.’s privacy watchdog for failing to protect customers’ data due to security lapses lasting nearly four years.
The penalty is the highest the U.K. authority could levy under old rules that were replaced in May 2018 with tougher measures boosting regulators’ fining powers.
Between October 2014 and May 2018, Cathay Pacific’s computer systems “lacked appropriate security measures which led to customers’ personal details being exposed, 111,578 of whom were from the U.K., and approximately 9.4 million more worldwide,” the U.K. Information Commissioner’s Office said in a statement on its website on Wednesday.
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers,” Steve Eckersley, the ICO’s director of investigations, said in the statement. “The multiple serious deficiencies we found fell well below the standard expected.”
The airline is held responsible for failing to prevent “the unauthorized access to their passengers’ personal details,” including names, passport and identity details, the ICO added.
The U.K. ruling is another setback for the airline, which has slashed capacity as it copes with a reduction in travel demand amid the spread of the coronavirus and political protests in it’s home market of Hong Kong.
Cathay Pacific said in an emailed statement said it regrets the incident and has spent “substantial amounts” on IT infrastructure and security over the past three years.
“We have co-operated closely with the ICO and other relevant authorities in their investigations,” the company said. “Our investigation reveals that there is no evidence of any personal data being misused to date” and the airline “will continue to invest in and evolve our IT security systems.”