2 min read

Cathay Pacific slammed for security failures following hack which exposed 9.4 million people worldwide

Graham CLULEY

March 04, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Cathay Pacific slammed for security failures following hack which exposed 9.4 million people worldwide

The UK’s Information Commissioner’s Office (ICO) has fined Cathay Pacific for “a number of basic security inadequacies” which resulted in hackers stealing the data of 9.4 million people worldwide – including 111,578 from the UK.

In October 2018, the Hong Kong-based airline admitted that hackers had broken into its internal systems and accessed passenger data – including names, nationalities, dates of birth, phone numbers, email addresses, postal addresses, passport details, frequent flier numbers, and historical travel information.

However, it is now known that the security breach had been going on since at least 15 October 2014, and was only identified in May 2018 after Cathay Pacific became aware of a brute force attack against its Active Directory database.

A subsequent investigation determined that there had been two separate groups of attackers, one of which had managed to install password-stealing malware and use the stolen credentials to access admin systems.

Cathay Pacific only informed the ICO of the security breach five months later, on 25 October 2018, saying that it had taken several months to analyse the data and fully understand the impact of the breach.

The airline’s share price fell following criticism that it had taken too long to come clean about the hack.

Amongst Cathay Pacific’s failures, according to the ICO, were that the company had failed to encrypt database backups containing personal data, that the airline had failed to patch an internet-facing server against a vulnerability that had been public knowledge for over 10 years, and that out-of-date no-longer-supported operating systems were being used on servers processing sensitive data.

In addition the ICO noted that some 41,000 users were able to access Cathay Pacific’s VPN with just a username and password, with no additional authentication required:

“If Cathay Pacific had required MFA for every user, the attackers would not have been able to use the stolen credentials to access the VPN and the data breach would have been avoided.”

In September 2018, Cathay Pacific began rolling out multi-factor authentication (MFA) across all users. Which is a good thing, of course, but really should have happened much sooner.

The ICO has today announced it is fining Cathay Pacific £500,000 – with a 20% reduction to £400,000 if the penalty is paid by 12 March 2020.

Cathay Pacific is not the only airline to find itself in the spotlight of data watchdogs. In July last year it was revealed tha British Airways was facing a £183 million fine from the ICO after travellers’ data was harvested by hackers.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

2 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read