The consequences of a lax approach to data governance

The Information Commissioner's Office (ICO) decision on Cathay Pacific's data breach highlights the consequences of being complacent with data governance. With more than 9.4 million individuals affected, Cathay Pacific was fined the maximum penalty of £500,000 under the Data Protection Act 1998 (UK). 

What were the background facts of the enforcement action? 

Cathay Pacific operated a loyalty program for its customers. This program involved Cathay Pacific keeping membership numbers, historical travel information and customer service information.  

In May 2018, several databases operated by Cathay Pacific were identified as targets of a large-scale data breach. Cathay Pacific first identified suspicious activity on 13 March 2018 after their Active Directory database came under attack, prompting them to launch an independent investigation by a third party. This investigation revealed unauthorised access to their systems stretching back as far as 15 October 2014. During this period, over 9.4 million individuals were affected by the breach, where almost 200,000 passport numbers were accessed alongside other personal information including name, date of birth, address and identity card numbers.  

On 25 October 2018, Cathay Pacific reported this data breach to the ICO. 

What are the implications of a pre-GDPR enforcement action? 

Because the breach occurred before the commencement of the General Data Protection Regulation (GDPR), the ICO was exercising its powers under the GDPR’s predecessor, the Data Protection Act 1998 (UK) (DPA). As the GDPR tightens the regulatory framework established in the DPA, its stricter accountability requirements mean that Cathay Pacific’s breach would be subject to significantly greater penalties if experienced today.  

As Cathay Pacific maintained its operational data processing activities in the UK, it was the data controller, meaning that it had to comply with the eight data protection principles (DPP).

Of interest, DPP7 states:  

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.  

This principle required Cathay Pacific to ensure that they implemented appropriate measures to protect the large amounts of data collected through their loyalty program. In particular, the DPA required Cathay Pacific to take reasonable steps to prevent harm resulting from unauthorised or unlawful processing of personal data.   

What were the regulator’s findings? 

The ICO found that Cathay Pacific seriously contravened DPP7 due to several deficiencies in its data security framework. They came to this conclusion because: 

  • Cathay Pacific’s backups were not encrypted, and this could have prevented attackers from accessing any personal data they obtained; 
  • even though Cathay Pacific knew that their internet server required little skill or knowledge to exploit, and despite this being public knowledge for 10 years, they did not fix it;  
  • Cathay Pacific’s administrator access was via a public website, where more security measures such as a VPN or multi-factor authentication (MFA) could have been used;
  • one of Cathay Pacific’s systems no longer supported security updates, where they did not replace it or purchase extended support for it;
  • their servers could be easily exploited through illegal access by failing to install anti-virus protection and to manage and install patches to keep servers up-to-date;
  • Cathay Pacific did not follow best practice in preserving digital evidence as several servers were decommissioned following the data breach;
  • their systems were not tested for up to three years and data was retained for longer than necessary; and
  • 90 accounts were given permanent administrator access which was inappropriate for day-to-day use.  

Why was the maximum fine levied? 

The ICO decided that Cathay Pacific’s contravention of DPP7 caused substantial damage and distress to the more than 9.4 million individuals affected. In addition to the conduct discussed above, the ICO noted that breaches extended well over 3.5 years, meaning that personal data was likely used to perpetrate fraud. Moreover, although over 12,000 consumer complaints were lodged concerning the data breach, the ICO highlighted that Cathay Pacific had not actioned any of these claims.  

Ultimately, the ICO concluded that Cathay Pacific should have known about their failure to follow best practice and their own policies, where available controls were not implemented regularly or at all. Thus, they considered it necessary in the circumstances to issue Cathay Pacific the maximum penalty of £500,000 for their negligent actions, to deter significant contraventions of this kind in the future.   

What are the lessons learned for the data protection practitioner? 

This decision shows the consequences of taking a lax approach to data governance, particularly as Cathay Pacific had the means of identifying and responding to common vulnerabilities. 

As this case demonstrates, the ICO can issue fines under the DPA or the GDPR regardless of whether a business is headquartered in the UK – Cathay Pacific is based in in Hong Kong.  

Data compromises of this scale within the GDPR regime could see companies facing substantial penalties much greater than those imposed on Cathay Pacific towards a figure as high as 4% of global annual turnover. 

Any company with operations or activities in the UK or the EU should pay extremely close attention to complying with the GDPR or its associated laws of member states. Cathay Pacific’s experience has underscored the importance of regular checkups on data security systems to ensure they are fit-for-purpose and can efficiently respond to potential data breaches. Therefore, data protection practitioners should ensure that they: 

  • establish robust data protection policies and implement them to ensure best practice;
  • Ensure that your ICT service provider or inhouse team are regularly updating devices and software to ensure they are secure and fit-for-purpose;
  • restrict who accesses data and services – where administrator accounts and elevated permissions only given to those who need them; and
  • protect any unwanted attacks by installing anti-virus software.