Cathay Pacific Airlines Fined Over Data Breach (Mar 5, 2020)
International airline Cathay Pacific Airways has been fined £500,000 by the United Kingdom’s Information Commissioner’s Office (ICO) for failing to protect personal data of 9.4 million customers between 2014 and 2018. The ICO found that the airline lacked appropriate security controls, had unencrypted backups and admin consoles connected to the open internet, leading to millions of records being exposed. The data breach exposed addresses (both physical and email), birth dates, historical travel information, names, passport information, and phone numbers. The fine is the largest the IOC can impose on the airline, as the breach took place prior to the EU’s General Data Protection Regulation going into effect in May 2018.
Recommendation: Data breaches such as this one serve to remind businesses that cyber security is a constant effort; monitoring, detecting, securing, preventing and responding to threats. Organizations should regularly review and audit their security controls to detect and remediate any accidental as well as malicious risk, especially when it concerns Personally Identifiable Information (PII). Any storage of customer data should be checked for confidentiality, availability and integrity of that data.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.