Cathay Pacific Airways has been fined £500,000 for a data breach dating back to March 2018.
The U.K.'s Information Commissioner’s Office (ICO) imposed the fine, saying that between October 2014 and May 2018, the airline’s computer systems did not have “appropriate security measures” to protect customer data.
A statement says this led to personal details of about 9.4 million customers being exposed.
Data included names, passport and identity details, dates of birth and postal and email addresses.
The ICO goes on to say that Cathay Pacific became aware of suspicious activity in March 2018, when its database suffered “a brute force attack,” whereby many passwords and phrases are submitted by an attacker in the hope of guessing correctly and gaining entry to systems.
At this point, Cathay Pacific called in a cybersecurity firm.
Subscribe to our newsletter below
Steve Eckersley, ICO director of investigations, says: “This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected.
"At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”
Last July, the ICO said it intended to fine British Airways more than £183 million because of a cyber attack believed to have started in June 2018.
Days later, Marriott was also informed of the ICO’s intention to fine it £99 million for the breach it disclosed in November 2018.
Both travel companies said they would appeal the decisions. A spokesperson for the ICO says the process is ongoing.
The penalty against Cathay Pacific comes under the U.K.'s Data Protection Act, while the fines imposed on British Airways and Marriott are for breaches of the General Data Protection Regulation, introduced in May 2018.