On 10 February 2020, Cathay Pacific Airways Ltd (CP) was issued with the maximum pre-GDPR fine of £500,000 by the Information Commissioner (ICO) following a data security breach.
This is a further example where other organisations can learn lessons about what the ICO will focus on when investigating a data security breach. Significantly, the ICO concentrated not only on vulnerabilities which meant the attackers were successful, but also those that could have had an impact, or those that were simply failing in themselves even though they could not be shown to have had any direct impact in this case. This is another example of the ICO using a data security breach as a basis to carry out a much more wide-ranging investigation into compliance, which in turn has led to a very serious sanction.
Further details are provided below, but amongst the key issues identified by the ICO were:
- CP failed to follow four out of five of the UK National Cyber Security Centre (NCSC) basic Cyber Essentials requirements: choose the most secure settings for devices and software; control access to data and systems; protect yourself from viruses and malware; and keep your devices and software up to date;
- CP did not follow its own processes in a range of areas to keep the data and its systems secure;
- CP failed to deal with widely known software vulnerabilities;
- Use of multi-factor identification to access systems and data was not considered by CP;
- Too much access to personal data was given to too many individuals for too long;
- The investigation by CP into the data security breach was flawed as there was a failure to preserve relevant evidence.
Though CP is incorporated in Hong Kong it has a branch office in London, meaning that it is established in the UK and hence regulated under the DPA 1998.
The data security breach occurred between 15 October 2014 and 11 May 2018. This meant that it fell within the pre-GDPR regime. CP first became aware of the issues in March 2018. Four of CP’s systems were involved and subjected to attack by two different groups of hackers. 9.4 Million individuals were affected. 111,578 were from the UK. Personal data involved included passenger names, nationalities, dates of birth, passport and national identity card numbers, and passenger loyalty scheme information. CP voluntarily notified the data security breach to the ICO on 25 October 2018 – bearing in mind that the pre-GDPR regime had no mandatory requirement to notify the ICO. The ICO received just two complaints from affected individuals (CP received 12,000 itself).
The ICO’s findings
The ICO’s Monetary Penalty Notice (MPN) concluded that there had been a serious contravention of the seventh data protection principle under the DPA 1998, that is to take appropriate measures to prevent unauthorised or unlawful use of personal data. The fine of £500,000 was the maximum available under the DPA 1998.
As with other data security breaches, the ICO’s findings help to inform what the regulator is likely to expect from organisations both pre and post GDPR. In this case, the failings included:
- Leaving database back-ups unencrypted, contrary to CP’s own policies. The reason why the database was unencrypted was due to the migration of a CP data centre, but CP could provide no evidence that its own internal notifications and assessment processes had been followed in order to identify and mitigate the risk created;
- Not dealing with a known vulnerability in an internet facing server. The vulnerability had been publicised via the Common Vulnerabilities and Exposures (CVE) system since February 2007, but nothing had been done about it;
- Use of systems that were out-of-date and no longer supported by security updates. This was also contrary to CP’s own policies which should have led to the systems being replaced or upgraded;
- A failure to consider using multi-factor identification (MFA). CP allowed 41,000 staff to access a virtual private network using only a user ID and password with no further authentication. The ICO said that CP should have carried out a risk assessment to determine whether this was appropriate and having done so adopted MFA or other appropriate access controls;
- A review of CP’s records identified no evidence that it had taken steps to address known vulnerabilities in software and systems for prolonged periods;
- CP was unable to produce evidence to the ICO following the de-commissioning of some systems after the data security breach was discovered. The ICO decided that this was a failure by CP to follow best practice in preserving digital evidence;
- CP gave too much privileged administrator access to too many individuals within CP. The ICO said that individuals should only be given access strictly to the tools they need to perform their tasks and when the reasons for that access are no longer there, it should be withdrawn – so called “just enough” and “just in time” administration;
- There was a lack of penetration testing by CP. The suggestion from the ICO is that this should be conducted at least annually;
- Data retention periods of at least seven years, which applied irrespective of the nature of the data retained, were too long.
The ICO also commented that although CP acted promptly and went beyond its legal obligations in issuing appropriate information to the affected individuals and cooperating with the ICO, this was no more than should be expected of an organisation of its size and resources. This indicates that the ICO will hold larger, more sophisticated organisations to higher standards following the discovery of data security breaches.
If you require further information about anything covered in this briefing, please contact Ian De Freitas, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, March 2020