Airlines aren't having a great time this week. The ICO announced this week enforcement action taken against Cathay Pacific for failing to secure its customers’ personal data, involving a "number of basic security inadequacies".
As the breach took place pre-GDPR, the enforcement powers in the preceding legislation (Data Protection Act 1998) applied.
The ICO found Cathay Pacific’s systems were entered via a server connected to the internet and malware was installed to harvest data. A catalogue of errors were found during the ICO’s investigation including: back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-12-12-15-58-46-319-693c3bb62a1eb292d8bfc812.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-12-08-16-19-01-292-6936fa755b578955555c41c2.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-12-04-15-32-44-367-6931a99c9421fe7e50e0b072.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-12-03-16-04-59-359-69305fab186e029cfdb2acd9.jpg)
/Passle/5db069e28cb62309f866c3ee/MediaLibrary/Images/2025-06-30-18-20-05-882-6862d555bf3898129ef17194.jpg)