Information Commissioner’s Office (ICO) fines Cathay Pacific Airways for data breach

10th March 2020 Media Law

Cathay Pacific Airways Limited was fined £500,000 last week by the UK’s Information Commissioner’s Office (ICO) for failing to protect the security of its customer’s data.

The airline was subject to a breach of its customer’s data, which affected 9.4million worldwide, including 111,578 from the UK. The breach resulted in unauthorised access of passenger’s personal details including:

  • Name;
  • Passport identity details;
  • Date of birth;
  • Postal and email addresses;
  • Phone numbers;
  • Travel history.

The breach came to light in March 2018, when Cathay Pacific enlisted a cyber-security firm after it had suffered a ‘brute force attack,’ which consisted of hackers repeatedly submitting targeted username and password combinations with the hope of eventually submitting the correct one.

Following the attack, it was found that between October 2014 and May 2018, Cathay Pacific’s systems did not have sufficient security measures in place. The ICO’s report noted a “catalogue of errors,” including “back up servers that were not password protected” and “inadequate virus protection.”

Steve Eckersley, the ICO’s Director of Investigations, expressed his concerns in relation to the breach which was the result of “multiple serious deficiencies.” He said, “At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”

Due to the timing of events, Cathay Pacific was penalised under old data law (Data Protection Act 1998 (DPA98)). The ICO found a serious breach under Principle 7 of the DPA98, which states, “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Cathay Pacific was fined the maximum penalty of £500,000 under the DPA98 and in making the decision, the Commissioner was satisfied that the breach was “likely to cause substantial damage or distress” due to the types of data compromised.

However, under new laws this penalty could have been significantly higher. The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18), which came into force on 25 May 2018 would have given the ICO the power to impose a hefty fine of up to £17 million or 4% of global turnover in the same circumstances.

JMW Solicitors are experts in data breach law. If you’ve been subject to a data breach and would like help, please call us today on 0345 872 6666.

We're Social

Jemma Fleetwood is a Trainee Solicitor located in Manchesterin our Trainee Solicitors department

View other posts by Jemma Fleetwood

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest