This case was publicly disclosed in October 2018, after Cathay Pacific became aware of the breach in March 2018. This was when they discovered activities of “brute force” password guessing attacks in their system.
The long-time incident had risked confidential details of 111,578 UK residents as well as 9.4 million passengers worldwide in the past 6 years.
Cathay Pacific reported the case to the Information Commissioner’s Office (ICO) and sought help from a cyber security firm. Their affected customers were let known of the breach too.
Found leaked were customer’s personal details such as passenger’s name, passport number, nationalities, dates of birth, postal and email address, phone numbers, travel history and credit card credentials.
ICO revealed that Cathay Pacific’s internal systems lacked appropriate security measures from October 2014 till May 2018, which had led to the incident.
From the investigation, they have found a number of errors and deficiency from the company itself, such as back up files that were not password protected, the airline was using outdated operating systems, internet-facing servers were left unpatched as well as the lack of anti-virus protection.
“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers,” said ICO Investigation Director Steve Eckersley.
He further stated that the airline had failed to satisfy four out of five of the National Cyber Security Centre’s basic guidance following the serious deficiencies found below the standard.
Cathay Pacific was then given the fine of £500,000, which was told to be the highest figure charged under Data Protection Act 1998.
According to the investigation report, there were no confirmed cases of leaked data being misused. However, years after years, the potential of it can never be dismissed.
Learning from past mistakes, Cathay Pacific has now taken security measures on its IT infrastructure since the last three years. They have now allocated some amount into investing for data security and continuously upkeep their infrastructure from time to time.
From this incident, Condition Zebra believes in prevention than cure. Cybersecurity is becoming essential and little did we realize that cyber security has becoming important ever since the last decade.
Condition Zebra provides expertise in penetration testing, system hardening and digital forensics. As experts in the field, we have conducted classes and training for IT personnel to help our society benefit from a safe virtual environment.
To those who are looking for a free penetration testing session, we might be able to help you out.