Airlines aren't having a great time this week. The ICO announced this week enforcement action taken against Cathay Pacific for failing to secure its customers’ personal data, involving a "number of basic security inadequacies".
As the breach took place pre-GDPR, the enforcement powers in the preceding legislation (Data Protection Act 1998) applied.
The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. A catalogue of errors were found during the ICO’s investigation including: back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.
/Passle/5db069e28cb62309f866c3ee/MediaLibrary/Images/2024-12-04-17-29-34-985-6750917e376ff9ba249f5aab.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-05-28-14-44-04-394-683721349d25f25791e9365e.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-05-23-20-07-38-111-6830d58a68653c5a1a0a4aa5.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-05-19-13-29-42-284-682b3246e134e77b9be8c2fd.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-05-20-10-23-50-411-682c5836975255c0971fba60.jpg)