On 4 March 2020, the Information Commissioner’s Office (“ICO”) issued an enforcement notice with a fine of £500,000 against Cathay Pacific Airways Limited (“Cathay Pacific”) for failing to put in place appropriate technical and organisational measures to protect against the unauthorised or unlawful processing of personal data. This failure was in respect of four of its internal systems that resulted in a large scale data breach.
Cathay Pacific's systems lacked the appropriate technical and organisational measures needed and resulted in a data breach that lasted 3 years and 7 months (from 15 October 2014 to 11 May 2018) and affected 9.4 million data subjects. As a consequence, it received 12,000 complaints (some of which allege economic loss due to the data breach). Cathay Pacific claimed that it subsequently instructed a leading cyber security firm to investigate the data breach.
In its enforcement notice, the ICO has listed several reasons as to how Cathay Pacific had breached data privacy legislation. We have listed the key reasons below (and recommend that you see if any of these could be relevant for your company):
It failed to follow its own data policies including those that stated that databases with personal data should be encrypted, systems should be regularly reviewed to identify the end of their lifecycle etc.
Its internet-facing server was easily accessible due to a vulnerability that had not been managed (and the solution to manage this vulnerability had been known for 10 years).
Its administrator console was publicly accessible via the internet and a hacker could therefore access its authentication page and log-in and have control quickly.
Where network users were using a virtual private network, the controls to access it and log-in were not robust enough as multi-factor authentication had not been configured for all users.
One of its systems was hosted on an operating system that was no longer supported by security updates (and it had failed to conduct a risk assessment and find an alternative hosting location).
The anti-virus protection that it had in place was inadequate. For two of its systems, no anti-virus software had even been installed.
Its penetration testing was inadequate. Its systems had not been tested regularly and for one system, there had been a 3-year gap in which it had not been tested at all.
Its approach to retention periods was too long. Its approach was to retain data indefinitely and it would only purge data after 7 years of passenger inactivity (i.e. they terminate their membership or die).
Cathay Pacific has only been fined £500,000 as this is the maximum amount permitted pre-GDPR under the Data Protection Act 1998 under which it was investigated (as the data breaches were prior to 25 May 2018). Whilst Cathay Pacific has the opportunity to appeal the enforcement notice and the fine, we believe that its very unlikely that it will do so – and its most likely thanking its lucky stars that its data breach was pre-25 May 2018.
What can you and your organisation learn from Cathay Pacific?
Our advice is that you should take note of the following:
Data privacy and its security is an on-going matter. It’s simply not enough to put policies in place and conduct a one-off review of security measures and controls. Organisations are advised to: (a) regularly review their data register and the controls that they have in place for all of their systems. This can include, for example, by scheduling a quarterly review of its data register and all of the systems that it has in place as well as conducting research on information in the public domain about best practices from a security point of view.(b) ensure that their policies are being understood and implemented by staff (and especially their I.T teams). Had Cathay Pacific followed its own policies and conducted regularly reviews of its systems, it would have identified the vulnerabilities that it was exposed to and the lack of controls that it had in place.
Data minimisation and data retention should be considered together. Data can be a liability and organisations should consider each type of personal data that they hold very carefully and whether it is necessary. Cathay Pacific’s data retention practices were the same for all the personal data that it obtained across all of its systems. This approach showed a lack of thought as there was certain data that it did not need to hold onto (e.g. Cathay Pacific did not need to hold onto expired passport numbers of customers). Organisations are advised to be cautious about how much data they collect and to regularly consider whether it needs to be retained; data retention policies should highlight specifically which personal data it is keeping and why.
It’s important for organisations to be able to justify all of their actions and to be consistently transparent in their dialogue with the ICO. With Cathay Pacific, the ICO stated that it was not able to conduct a forensic assessment concerning Cathay Pacific’s data breach and this was because Cathay Pacific had failed to follow best practices in terms of preservation of digital evidence. The fact that the ICO chose to record this in the enforcement notice (alongside highlighting that Cathay Pacific had allowed a cyber security firm that it had paid to conduct a forensic assessment), shows that the ICO is somewhat warry about why it was not able to do a forensic assessment (i.e. is something further being hidden?).The ICO also stated that it had no evidence of how certain policies had been followed. We advise organisations to act cautiously in situations with how they manage evidence, regulatory engagement and their internal governance around data protection.
Aria Grace Law
We advise large companies and legal service providers on data protection matters and have run several end-to-end data protection programmes for many of our clients, taking out data risk and adding back data value. We are experienced data privacy experts and can assist your organisation with reviewing and enhancing your data protection program as well as with engaging with regulators such as the ICO. If you would like to find out more or instruct us to help you, please contact us on firstname.lastname@example.org.
Privacy Update by Puja Modha – Partner at Aria Grace Law 05.03.2020