2 min read

Cathay Pacific slammed for security failures following hack which exposed 9.4 million people worldwide

Graham CLULEY

March 04, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Cathay Pacific slammed for security failures following hack which exposed 9.4 million people worldwide

The UK’s Information Commissioner’s Office (ICO) has fined Cathay Pacific for “a number of basic security inadequacies” which resulted in hackers stealing the data of 9.4 million people worldwide – including 111,578 from the UK.

In October 2018, the Hong Kong-based airline admitted that hackers had broken into its internal systems and accessed passenger data – including names, nationalities, dates of birth, phone numbers, email addresses, postal addresses, passport details, frequent flier numbers, and historical travel information.

However, it is now known that the security breach had been going on since at least 15 October 2014, and was only identified in May 2018 after Cathay Pacific became aware of a brute force attack against its Active Directory database.

A subsequent investigation determined that there had been two separate groups of attackers, one of which had managed to install password-stealing malware and use the stolen credentials to access admin systems.

Cathay Pacific only informed the ICO of the security breach five months later, on 25 October 2018, saying that it had taken several months to analyse the data and fully understand the impact of the breach.

The airline’s share price fell following criticism that it had taken too long to come clean about the hack.

Amongst Cathay Pacific’s failures, according to the ICO, were that the company had failed to encrypt database backups containing personal data, that the airline had failed to patch an internet-facing server against a vulnerability that had been public knowledge for over 10 years, and that out-of-date no-longer-supported operating systems were being used on servers processing sensitive data.

In addition the ICO noted that some 41,000 users were able to access Cathay Pacific’s VPN with just a username and password, with no additional authentication required:

“If Cathay Pacific had required MFA for every user, the attackers would not have been able to use the stolen credentials to access the VPN and the data breach would have been avoided.”

In September 2018, Cathay Pacific began rolling out multi-factor authentication (MFA) across all users. Which is a good thing, of course, but really should have happened much sooner.

The ICO has today announced it is fining Cathay Pacific £500,000 – with a 20% reduction to £400,000 if the penalty is paid by 12 March 2020.

Cathay Pacific is not the only airline to find itself in the spotlight of data watchdogs. In July last year it was revealed tha British Airways was facing a £183 million fine from the ICO after travellers’ data was harvested by hackers.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

FBI Warns of Phishing Attack Targeting People Looking for Unemployment Benefits FBI Warns of Phishing Attack Targeting People Looking for Unemployment Benefits
Silviu STAHIE

October 20, 2021

1 min read
Hacker Says He Stole ID Data of 45 Million Argentinians Hacker Says He Stole ID Data of 45 Million Argentinians
Silviu STAHIE

October 20, 2021

1 min read
Meet Scam Alert, the New Bitdefender Mobile Security & Antivirus Technology Battling Malicious Links Meet Scam Alert, the New Bitdefender Mobile Security & Antivirus Technology Battling Malicious Links
Silviu STAHIE

October 20, 2021

2 min read