back to article UK data watchdog slaps a £500,000 fine on Cathay Pacific for 2018 9.4m customer data leak

The Information Commissioner's Office has fined Cathay Pacific Airways £500,000 for leaky security that exposed the personal data of 9.4 million passengers - 111,578 of whom were from the UK. The breach, which occurred between October 2014 and May 2018, exposed passengers' names, passport and identity details, dates of birth, …

  1. nematoad Silver badge


    "Our investigation reveals that there is no evidence of any personal data being misused to date."

    So that's alright then.

    Idiots, I just hope that they pay more attention to the safety of their aircraft, staff and passengers.

    1. andy 103

      Re: No!

      "no evidence of any personal data being misused to date."

      Given that they didn't know it had even been stolen, I wouldn't take this too seriously.

    2. RPF

      Re: No!

      They do, but the directors are pretty much IT-illiterate. I'm sure that's something most guys here have heard of before!

      One was found to have been accessing the mainframe via Starbucks wi-fi (no VPN, obvs) once...... ...and they never, ever spend on IT if they can help it.

      1. commonsense

        Re: No!

        How and why is the mainframe accessible from the public internet without connecting via the VPN? You can't blame the directors for that (unless they mandated that the mainframe was accessible without those pesky login screens).

  2. andy 103


    "between October 2014 and May 2018"

    "first suspected in March 2018"


    "and confirmed in May"

  3. oiseau Silver badge

    Just £500.000?

    9.4 million customer data files @ £500.000 ends up being a measly £0.0532 per data file.

    Ridiculous ...

    The fine should have been no less than £10 per data file exposed.

    The metadata in each file is worth a lot of cash to those who deal in those things as they are sold and resold many times over.

    There have been far too many of these misshaps in the past few years and I cannot but wonder if they're all exclusively due to bad IT practises.

    I think it is about time that those responsible for these blunders (really absurd in this day and age) be severely held to task.


    1. lglethal Silver badge


      Would you like to read the article again? It's all explained in the last couple of paragraphs.

      The £500k was the maximum fine allowed at the time of the offence. Under GDPR the fines can be much higher. There's even an example shown where British Airways are getting slapped with a £183 million fine for a breach affecting 500,000 customers - that is £366 per affected customer. So you only want to fine them £10 per customer - geez you're a bit soft on them, aren't you?

      Read the article in full and most of the time everything you need to know will eventually be explained...

      1. oiseau Silver badge

        Re: sigh...

        Now, now ...

        Don't get jittery Luke.

        I did read the article but it would seem you misunderstood what I wrote.

        I'll try to clear it up:

        I wrote that the a fine of £500.000 was ridiculous.

        Whether it was the maximum permitted under the Data Protection Act 1998 or the minimum permitted under the Flying Flamingos Convention is absolutely irrelevant to the fact that the amount applied as a fine is ridiculous, maximum permitted or not.

        And please read my post again:

        I wrote that the fine should have been no less than £10 per data file exposed.

        The word only in not there.



        1. Alan Brown Silver badge

          Re: sigh...

          > I wrote that the a fine of £500.000 was ridiculous.

          It's the maximum allowed under the law applicable at the time, and yes it WAS ridiculous - but bear in mind that it was set and HELD at this low figure by our "business friendly" government.

          It only went to higher levels once the EU forced the UK government to change it with the rollout of GDPR - and the government did everything it could to resist those changes.

          "Taking back control" - among other things means a high possibility that if the government thinks it can get away with it, it will attempt to roll back the fines to traffic ticket nuisance levels. There's a very high historic antipathy to consumer protection laws amongst the Conservative party and their predecessors (who were also opposed to things like laws making sawdust and plaster of paris in sausages illegal, amongst other things)

          The ominous black cloud on the Horizon isn't a storm. It's CHICKENS flying this way and looking for their roost.

      2. Doctor Syntax Silver badge

        Re: sigh...

        Indeed. I was going to say thanks to the author for making that point in the article because there'd otherwise be somebody coming along with just that comment. But someone has to come along to say it anyway and demonstrate their lack of reading skills.

  4. Doctor Syntax Silver badge

    "no evidence"

    Cathay Pacific, go and write out 100 lines: "Absence of evidence is not evidence of absence."

  5. Anonymous Coward
    Anonymous Coward

    I can't wait for the company I work for to get hacked now GDPR is in force.

    I have tried for YEARS to get them to take security seriously. I have pleaded with them. I have tried to point out the potential cost. But with the PHBs its always the same old tired rhetoric.

    "Well it hasn't happened yet so we must be OK".

    No! You just don't KNOW if its happened yet.

    Great. Worked myself up, now I need to go and have a beer....

    1. Alan Brown Silver badge

      "No! You just don't KNOW if its happened yet."

      And of course, if you were to find it NOW, not reporting would be a criminal offence, so you're legally obligated to do so as soon as its found..... (contractual terms don't trump the law)

  6. JCitizen

    I wished the US had that..

    Our FCC, SEC, or somebody, should be levying fines like that for every breach we have - because it is obvious that , " they don't take security seriously" at many US firms. I get tired of reading all the breaches, it is time to kick some arse!! 500,000 USD is better than nothing, which is what they get over here, nothing!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022