Another company fined for a data security breach

Why was the penalty issued?

The penalty was issued as a result of Cathay Pacific’s customer personal details being exposed in a cyber-attack. The details included names, passport and identity details, dates of birth and phone numbers. The unauthorised access to the organisation’s systems began in October 2014 but it was not until the organisation became aware of unusual activity in March 2018 (when a database was subject to a brute force attack) that it engaged an independent cybersecurity firm to investigate.

The breach was reported to the ICO on 25 October 2018 – it was explained that several months were needed to analyse the data and understand the nature of the breach.  As the incidents occurred before 25 May 2018 this issue was dealt with under the Data Protection Act 1998 (DPA 1998). However, it contains important points to consider when you look at your own cyber-security measures.

How did the breach occur?

A number of deficiencies were found in the organisation’s data security which led to the breach occurring, including:

• Database backups were not encrypted, contrary to its own policies;
• One of the servers which was accessed had not been  fixed despite containing a known vulnerability which organisations were first alerted about back in 2007!;
• Patch management was inadequate meaning that software patching was not applied methodically. Cathay Pacific could not provide any evidence of patching for some of its systems which were attacked;
• It had too many internal administration accounts which had full access to its systems.  It didn’t use a policy of “just enough administration” whereby each user account is only given the tools needed to perform its specific administration task;
• Its administrator console was publicly available, via the internet, when it should only have been accessible to its employees and authorised third parties;
• A system was hosted on an operating system that was no longer supported (i.e. there was no support and maintenance package available for this system);
• Anti-virus protection was inadequate and penetration testing was not carried out with sufficient regularity; and
• Data retention periods were too long – less personal data would have been at risk had more appropriate retention periods been applied.

The ICO held that the failures related to “several of the most fundamental principles of data security”. It was found that the organisation had failed to satisfy four of the five National Cyber Security Centre basic Cyber Essentials, including keeping devices and software up-to-date and choosing the most secure settings for devices and software.

The ICO found, in mitigation, that the organisation had “acted promptly and forthrightly” after becoming aware of the breach, and went “above and beyond its legal obligations in issuing appropriate information to data subjects” and co-operating with the ICO and its investigation.

The £500,000 penalty

The ICO’s penalty of £500,000 is the maximum that can be given under the DPA 1998 and is restricted to this amount as the breach happened before the GDPR came into force. A similar breach now would be likely to lead to a much more significant fine, such as the ICO’s notice of intention to fine British Airways £183.39m for GDPR infringements.

What should you do now?

Although the penalty in this case was issued under the DPA 1998, it again highlights the importance of ensuring that your data security systems are constantly monitored and kept up-to-date. Ward Hadaway has a specialist team of data protection experts who can assist and advise you on any concerns or issues that you may have on data protection, including handling personal data breaches and data security training.

For further information, please get in touch.