Cathay Pacific Airways Limited – €585,000 Fine (United Kingdom, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Cathay Pacific Airways was fined for failing to secure passenger data, leading to unauthorized access. The UK Information Commissioner's Office found that the airline's negligence in maintaining outdated systems and ignoring security practices led to a data breach. This case emphasizes the necessity of robust cybersecurity measures to protect customer data.
What happened
Cathay Pacific Airways failed to secure its systems, resulting in unauthorized access to passenger data.
Who was affected
Passengers of Cathay Pacific Airways whose personal details were accessed without authorization.
What the authority found
The UK Information Commissioner's Office found Cathay Pacific negligent for not securing passenger data, resulting in a GDPR violation.
Why this matters
This case highlights the importance of maintaining up-to-date security systems and practices. It serves as a warning that neglecting cybersecurity can lead to significant fines and damage to reputation.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The airline’s failure to secure its systems resulted in the unauthorised access to their passengers’ personal details including: names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information. Cathay Pacific became aware of suspicious activity in March 2018 when its database was subjected to a brute force attack, where numerous passwords or phrases are submitted with the hope of eventually guessing correctly. The incident led Cathay Pacific to employ a cybersecurity firm, and they subsequently reported the incident to the ICO. The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. Several errors were found during the ICO’s investigation including: back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection. Although ICO considered that the contraventions were not deliberate, ICO held that they were negligent, as Cathay Pacific ought reasonably to have known that the contraventions would both (i) occur and (ii) be of a kind likely to cause substantial distress. ICO further held that Cathay Pacific failed to take responsible steps to prevent these contraventions. In reaching this view, ICO has had regard in particular to: the fact that in many instances Cathay Pacific was failing to follow its own policies; the fact that the best practices which were ignored were so fundamental; the availability of knowledge about the various vulnerabilities, whether via CVE or via notice from the service provider; and the fact that available controls were not implemented timeously or at all. Although Cathay Pacific acted promptly and forthrightly since it became aware of the data breach, ICO reached the view that it was appropriate to issue a monetary penalty of GBP 500.000, given the following aggravating
Related Enforcement Actions (0)
No other enforcement actions found for Cathay Pacific Airways Limited in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
10 February 2020
Authority
Information Commissioner's Office
Fine Amount
€585,000
500,000 GBP
GDPRhub ID
gdprhub-2184About this data
Cite as: Cookie Fines. Cathay Pacific Airways Limited - United Kingdom (2020). Retrieved from cookiefines.eu
Last updated: