ICO has announced that it is fining Cathay Pacific £500,000 – it’s the maximum fine under the 1998 Data Protection Act, as the breach took place pre-GDPR – for multiple data protection failings that left millions of customer records exposed.
In its statement, the ICO said that: “Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed, 111,578 of whom were from the UK, and approximately 9.4 million more worldwide” and that “A catalogue of errors were found during the ICO’s investigation”.
A breach like this is so avoidable and like with many incidents, was caused by a combination of both human error and malicious activity. The fact that such a number of basic security protocols were clearly missed in this situation is quite alarming and also embarrassing for the company. The fine of £500,000, the maximum figure possible under the UK’s Data Protection Act of 1998, underscores the severity of the situation and shows how costly breaches can be – both in damages with fines and to brand reputation. Having a basic level of security practice will start to be expected by customers wanting to do business and without offering those assurances, businesses could start to suffer if found to be lacking in security awareness and processes.
The Cathay Pacific breach demonstrated a litany of errors that left millions of customers’ data completely exposed for a number of years – many of which would have continued undiscovered had they not had a third party evaluation of their systems. As it took place before GDPR came into effect, the company has gotten off lightly with a £500k fine – which is the maximum penalty under the 1998 Data Protection Act. This sum is a drop in the ocean compared to what it could have been. Companies who find themselves in the same situation today could face a fine of up to 4% of annual global turnover or €20 million, whatever is higher, which is more likely to put a serious financial strain on any organisation.
Companies can’t afford to stick their heads in the sand and ignore cyber security any longer. It’s absolutely vital to exercise good security hygiene, prioritise data protection and keep cyber resiliency in mind. This means looking at their processes from end-to-end, considering how devices and systems are being used, connected and who is using them, to truly get a strong gauge of their cybersecurity posture. Yet it is equally important to take a proactive approach and go out looking for threats, using third parties who can think like a hacker to really test your defences, so you are not caught off-guard. Ultimately, no business can ever be 100% secure; it’s all about understanding the threat surface, reducing your risk, and protecting the crown jewels – i.e. your customer data.