Airlines aren't having a great time this week. The ICO announced this week enforcement action taken against Cathay Pacific for failing to secure its customers’ personal data, involving a "number of basic security inadequacies".
As the breach took place pre-GDPR, the enforcement powers in the preceding legislation (Data Protection Act 1998) applied.
The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. A catalogue of errors were found during the ICO’s investigation including: back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.
/Passle/5db069e28cb62309f866c3ee/MediaLibrary/Images/2025-06-30-18-20-05-882-6862d555bf3898129ef17194.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-10-31-16-23-54-286-6904e29a7a01d59373600632.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-10-29-20-55-59-116-69027f5f320730d47b3e27f6.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-10-27-14-50-46-941-68ff86c6a4533caa5473028a.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-10-24-21-00-00-741-68fbe8d0706eb353587e901b.jpg)