ICO fines Cathay Pacific £500,000 over customer data exposure

The Information Commissioner’s Office fined airline Cathay Pacific Airways £500,000 for failing to protect customers' personal data.

The UK watchdog said the airline's computer systems exposed details including names, passport details, dates of birth, phone numbers, addresses and travel history of 111,578 UK residents and 9.4m people from other countries.

"Appropriate security" was not in place between October 2014 and May 2018 until the airline became aware in March 2018 as it suffered a password guessing attack.

The Hong Kong-based firm reported this to the ICO and the UK watchdog uncovered errors made by the airline in the investigation that followed.

Steve Eckersley, the ICO's director of investigations, said there were "a number of basic security inadequacies across Cathay Pacific's system, which gave easy access to the hackers".