Cathay Pacific, which flew 35.5 million passengers in 2018, has been fined £500,000 by the ICO for a data breach that affected a number of its IT systems from October 2014 until May 2018. The breach resulted in 9.4 million data subjects being affected; of these, 233,234 were from the EEA, and 111,578 were from the UK. 199,714 passport numbers issued by an EEA Member State were accessed, and the categories of data breached included: passenger names, nationalities, dates of birth, phone numbers, email addresses, postal addresses, passport and identity card numbers, frequent flyer membership numbers, customer service remarks and historical travel information.

In its investigation the ICO found that Cathay Pacific's systems had a number of basic security inadequacies and it failed four out of five of the basic cyber-essentials guidance from the National Cyber Security Centre.

Luckily for Cathay Pacific, the breach ended on 11 May 2018, just two weeks before the GDPR came into effect, which meant this breach was determined under the Data Protection Act 1998. As such the maximum penalty that could be issued by the ICO is £500,000.

Had the breach continued for a few more weeks, then under the GDPR Cathy Pacific could have faced a fine of 4% of its annual global turnover which would be approximately £470 million. So it appears Cathay Pacific may have been luckier than British Airways whose breach looks set to lead to a £183 million fine as announced by the ICO, but not yet implemented.

Timing, they say, is everything....

The Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data.