The international airline’s computer system “lacked appropriate security measures” which resulted in names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information of 9.4 million customers worldwide being exposed.

This was over a near four-year period between October 2014 and May 2018, affecting 111,578 UK customers, according to the Information Commissioner’s Office (ICO).

However, Cathay Pacific only became aware of suspicious activity in March 2018 when its database was subjected to a ‘brute force attack’, where numerous passwords or phrases are submitted with the hope of eventually guessing correctly.

The incident led Cathay Pacific to employ a cybersecurity firm, and it reported the incident to the ICO.

The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. Numerous errors were found during the ICO’s investigation including: back-up files that weren’t password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.

‘Basic security inadequacies’

Steve Eckersley, ICO director of investigations, said: “People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here.

“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.

“Under data protection law organisations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”

The ICO added that as well as acting promptly in seeking expert assistance from a leading cyber security firm, Cathay Pacific also issued appropriate information to affected individuals and co-operated with the ICO’s investigation.

YourMoney.com has approached Cathay Pacific for comment.

The £500,000 fine is the maximum that can be imposed under the previous Data Protection Act 1998, under which the Cathay Pacific breach occurred. Under the new GDPR rules as of May 2018, the ICO has the power to fine up to £17m (€20m) or 4% of global turnover.