The UK’s Information Commissioner’s Office (ICO), a regulator in charge of upholding information rights, has fined Cathay Pacific (CX, Hong Kong Int'l) GBP500,000 pounds (USD652,000) for “failing to protect the security of its customers’ personal data,” the ICO revealed in a statement dated March 4.

Between October 2014 and May 2018, the carrier’s computer systems “lacked appropriate security measures,” according to the ICO, which led to customers’ personal details being exposed. Exactly 111,578 of these customers were from the UK, and there were around 9.4 million more worldwide.

Cathay Pacific became aware of suspicious activity in March 2018 when its database was subjected to an attack in which many passwords were submitted in the hope of eventually guessing correctly. However, by then, there had been unauthorised access to passengers’ personal details including names, passport and identity details, dates of birth, post and email addresses, phone numbers, and historical travel information.

A cybersecurity firm that Cathay Pacific enlisted subsequently informed the ICO, which found that the airline’s systems had been entered via a server and malware had been installed to harvest data.

The ICO’s investigation uncovered “a catalogue of errors” including back-up files not password-protected, unpatched internet-facing servers, the use of operating systems no longer supported by the developer, and inadequate anti-virus protection.

“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers,” said Steve Eckersley, the ICO’s investigations director.

However, in addition to acting promptly in seeking expert assistance from a leading cybersecurity firm, Cathay also issued appropriate information to the affected individuals and cooperated with the ICO’s investigation, he added.

Cathay Pacific got away with a smaller fine than would have been levied under European Union rules. That penalty could have been as much as the equivalent of HKD4.4 billion Hong Kong dollars (USD566 million) under new European data privacy laws, whereas the British regulator used older legislation, the 1998 Data Protection Act, according to the South China Morning Post.

The European General Data Protection Regulation (GDPR), implemented in 2018, was not used “due to the timing of the incidents in this investigation,” the ICO said.

The airline has no plans to appeal the fine. A company spokeswoman told the South China Morning Post. It “would once again like to express its regret and to sincerely apologise for this incident,” she said, adding that the carrier has since spent substantial amounts upgrading its IT infrastructure and security. In recent weeks, it unveiled a new IT Command Centre to stop or minimise digital incidents in real-time.

In July 2019, the ICO fined British Airways (BA, London Heathrow) GBP183 million (USD235 million) for a data breach in summer 2018. Parent company IAG International Airlines Group opted to appeal, and last week commented that it had “not been proven that British Airways failed to comply with its obligation under GDPR and the UK Data Protection Act”. It expects the ultimate fine to be “considerably lower”.