By Michael Cowley on March 13, 2020

Cathay Pacific's data breach fine and what companies can learn from it

Breaches, Alerts & Advisories

Nearly two years have passed since Cathay Pacific, a Hong Kong-based airline, suffered a data breach that impacted millions.

With over 100,000 of those victims being UK citizens, the Information Commissioner’s Office (ICO) recently levied a £500,000 fine on the company. It’s a reminder that cyber security incidents can have long-lasting, far-reaching consequences for both consumers and companies.

Here’s a quick look at what happened, why Cathay Pacific was fined and what businesses can do to avoid making the same mistakes.

Cathay Pacific data breach and fine

Cathay Pacific announced that a data breach took place in October 2018. The airliner found a malicious actor brute-forcing its Active Directory.

But the data breach went back much further than that, first taking place between October 2014. After the company found out, it didn’t disclose the information to the ICO for five months, claiming that it had taken them significant time to investigate the incident – something that didn’t sit right with the ICO.

Once a cyber security consultant was called in to investigate, assess and remediate the incident, it became clear that not one but two separate malicious actors were found to have established a presence in the digital environment over the four-year period.

The ICO attributed the attacks to poorly protected backups, unpatched vulnerabilities, a lack of multi-factor authentication and weak cyber security measures in general.

Cathay Pacific’s lackadaisical approach to cyber security resulted in 9.4 million records being compromised, 112,000 of which were UK customers. The information that was exposed includes:

  • Passengers’ names, passport and personal information
  • Email addresses
  • Phone numbers
  • Travel history
  • 430 credit cards, with roughly 6 percent of them still being active.

At the time of the breach, Cathay Pacific, a publicly traded company, was flirting with its highest stock price in almost three years, reaching 14 HKD per share. Since the data breach has been reported, the stock has failed to recover despite fluctuating back up to the 13 HKD range.

In early March 2020, the ICO concluded its inquiries and found that Cathay Pacific’s ignorance in regards to its cyber security – of which included vulnerabilities that had gone unpatched for a decade – had earned it a £500,000 fine. It’s the largest possible fine awardable under the Data Protection Act of 1998.

Things could have been worse, however. Had the breach been discovered and reported just a few months later, when the General Data Protection Regulation went into effect, the company would likely have seen a fine closer to the one imposed on British Airways in July 2019 – which was to the tune of £183 million.

5 key takeaways from the Cathay Pacific data breach and fine

So, what are the key takeaways with a situation like Cathay Pacific’s. It all boils down to five lessons that businesses should learn

1. Have an Incident Response (IR) plan in place

Since October 2018, Cathay Pacific has seen its share price steadily decline. Investor confidence plays a massive part for any organisation and companies must do their utmost to maintain it.

Having an IR plan is a no-brainer these days. It helps companies understand what to do in the case of the breach and, just as important, how they should communicate what has happened and what the next steps are.

2. Implement encryption across the board

Cathay Pacific failed to encrypt and secure its database backups. This effectively left customer records exposed in plain text – of which, there’s simply no reason to do.

All organisations need to understand what data their servers are holding, where it lives and how to protect it. This includes data created by back-of-house and maintenance teams, like backups.

3. Patch vulnerabilities quickly

Hackers always look for low-hanging fruit – i.e. easy targets – and Cathay Pacific was clearly one of them. The company had a number of externally facing servers with vulnerabilities that dated back 10 years.

The company failed to understand its exposure and qualify the risk to the wider business and that’s why it ended up being one of the ways they were breached. Quickly identify, assess and remediate vulnerabilities before they can be exploited. The cost is always well worth it.

4. Ensure systems are supported

Of course, patching was never much of an option for Cathay Pacific and the reason behind that is its outdated systems. The company had multiple production platforms with operating systems which were all out of support, meaning patching was never possible in the first place.

It’s clear that Cathay Pacific didn’t have adequate asset management to understand where the assets where, which platforms were affected and understand how the company could resolve the issue.

5. Upgrade cyber security tools

Cathay Pacific was found to have inadequate antivirus deployed across its digital estate, both in terms of deployment footprint as well as its management. The antivirus was signature-based and lacked routine updates, leaving the environment open to compromise from malicious executables.

We shouldn’t have to say it, but given how hackers are always deploying emerging methods and tactics, using next-generation antivirus should be a given.

Integrity360 has years of experience in helping companies create Incident Response plans and better manage their cyber security strategy to avoid cyber security incidents like the one that Cathay Pacific faced. Contact us today to learn how we can help your business.


Integrity360 Incident Response eBook

Sign up to receive the latest insights

Join our cyber security community to stay up to date with the latest news, insights, threat intel and more right in your inbox.  All you have to do is choose how often.