UK Information Commissioner Fines Cathay Pacific $646,000 Over Long-Running Breach
The UK Information Commissioner's Office (ICO) announced Wednesday that it has fined Hong Kong based Cathay Pacific Airways Ltd the maximum possible £500,000 ($646,000) following a long-running breach that occurred between October 2014 and May 2018.
The current UK Data Protection Act 2018 came into force 12 days after the breach was remedied on May 23, 2018. Had the DPA 2018 been in force during the breach, and had the maximum fine possible been levied, and had Cathay Pacific's revenue been similar to 2016's $10 billion, then the fine could potentially have been as much as $400 million (4% of revenue). However, it is worth noting that the Cathay Pacific fine is considerably more than the ICO GDPR fine of $230 million against British Airways for its breach in 2018.
The ICO's Notice of Monetary Penalty (PDF) describes two separate groups that breached the airline's systems. They were discovered during an investigation following "a brute force attack against its Active Directory database". It seems likely this was a third attacker.
It isn't known how one of the groups got into Cathay Pacific. The other, however, apparently entered via an internet-facing server, moved laterally, installed malware and harvested credentials from 10 August 2017. The earliest known unauthorized access was 15 October 2014, and the earliest unauthorized access to personal data was 2 July 2015.
The breach was extensive, with 9.4 million data subjects being affected worldwide. Of these, only 111,578 were UK subjects. However, the number of subjects involved is less important than the type of data stolen (that is, data 'likely to cause substantial damage or distress'), and the quality of security controls in place with the ..
Support the originator by clicking the read the rest link below.
