2 min read

Cathay Pacific slammed for security failures following hack which exposed 9.4 million people worldwide

Graham CLULEY

March 04, 2020

Cathay Pacific slammed for security failures following hack which exposed 9.4 million people worldwide

The UK’s Information Commissioner’s Office (ICO) has fined Cathay Pacific for “a number of basic security inadequacies” which resulted in hackers stealing the data of 9.4 million people worldwide – including 111,578 from the UK.

In October 2018, the Hong Kong-based airline admitted that hackers had broken into its internal systems and accessed passenger data – including names, nationalities, dates of birth, phone numbers, email addresses, postal addresses, passport details, frequent flier numbers, and historical travel information.

However, it is now known that the security breach had been going on since at least 15 October 2014, and was only identified in May 2018 after Cathay Pacific became aware of a brute force attack against its Active Directory database.

A subsequent investigation determined that there had been two separate groups of attackers, one of which had managed to install password-stealing malware and use the stolen credentials to access admin systems.

Cathay Pacific only informed the ICO of the security breach five months later, on 25 October 2018, saying that it had taken several months to analyse the data and fully understand the impact of the breach.

The airline’s share price fell following criticism that it had taken too long to come clean about the hack.

Amongst Cathay Pacific’s failures, according to the ICO, were that the company had failed to encrypt database backups containing personal data, that the airline had failed to patch an internet-facing server against a vulnerability that had been public knowledge for over 10 years, and that out-of-date no-longer-supported operating systems were being used on servers processing sensitive data.

In addition the ICO noted that some 41,000 users were able to access Cathay Pacific’s VPN with just a username and password, with no additional authentication required:

“If Cathay Pacific had required MFA for every user, the attackers would not have been able to use the stolen credentials to access the VPN and the data breach would have been avoided.”

In September 2018, Cathay Pacific began rolling out multi-factor authentication (MFA) across all users. Which is a good thing, of course, but really should have happened much sooner.

The ICO has today announced it is fining Cathay Pacific £500,000 – with a 20% reduction to £400,000 if the penalty is paid by 12 March 2020.

Cathay Pacific is not the only airline to find itself in the spotlight of data watchdogs. In July last year it was revealed tha British Airways was facing a £183 million fine from the ICO after travellers’ data was harvested by hackers.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Microsoft Drops Password Authentication for Most Products Microsoft Drops Password Authentication for Most Products
Silviu STAHIE

September 16, 2021

1 min read
Apple Rolls Out Urgent Patch for Zero-Day Flaws in iOS, macOS and watchOS Apple Rolls Out Urgent Patch for Zero-Day Flaws in iOS, macOS and watchOS
Filip TRUȚĂ

September 14, 2021

2 min read
WhatsApp Users Get Option to Encrypt Backups WhatsApp Users Get Option to Encrypt Backups
Silviu STAHIE

September 13, 2021

1 min read