Maximum fine for Cathay Pacific
Cathay Pacific got slapped with a £500K fine from the UK ICO for its data breach that was discovered in March 2018.
The ICO in its monetary penalty notice was happy to use the word “negligence” in describing Cathay Pacific’s behaviour that led to the incident.
Cathay Pacific originally called in the CyberSecurity Cavalry when they were brute force attacked in March 2018. That external investigation determined that at least two groups were squatting on the Cathay Pacific network, with confirmed residence for one group dating back to 2014.
The Cavalry also managed to evict the squatters just two weeks before the GDPR came into force in May 2018. In doing so, they saved Cathay Pacific from having to be judged under the GDPR. With annual revenue in 2018 at approximately £10billion, a 4% fine would have been worth £400m. So this particular security breach investigation managed to save Cathay Pacific up to £399.5m. Who needs an ROI for security testing?
New twist on failures
Cathay Pacific joined the ICO’s Fine High Club with a few failings that are so far unique and worth a discussion.
- Having policies and not following them. Cathay Pacific security policies were detailed and explicit and were completely ignored.
- They also got slapped for failing to record exceptions to policy. Cathay argued that it was not a policy oversight, but the servers in question had exceptions from the policy. Unfortunately, the evidence for this exception was thin on the ground.
- Having a vulnerability on an Internet-facing server from 2007 didn’t help, but the patching and anti-virus failures are common threads in other marquee incidents.
- But the best one by miles is that when the ICO rocked up to do their own investigation on what had gone on during the data breach, they were told by Cathay Pacific that the servers in question had been rebuilt and all of the evidence was now gone. A page taken straight from the Enron Incident Management process.
