Cathay Pacific Enforcement Action

The ICO has recently issued an enforcement notice under the Data Protection Act 1998 against Cathay Pacific Airways imposing a monetary penalty notice of £500,000 (the maximum allowable) for breaches of the data protection principles.

Primarily these related to the information security requirements of the Data Protection Act 1998 as there were a number of technical deficiencies with the IT system in question, but there were also organisational issues at play, including:

  • System A was hosted on an operating system that is no longer supported – lack of support for an IT system means that security updates will no longer be released and it can quickly become vulnerable to new risks. This could have been for a number of reasons (not clear from the enforcement notice) but it can be due to simple managerial oversight or lack of budget being available to replace the system.
  • Accounts were given inappropriate privileges – some of the user accounts that were compromised had excessive administrative rights to the system, meaning that the attackers could gain access to more personal data via those accounts than should have been available. This is a process issue when access levels are set for any system – Who needs access to what data or privileges? Who makes and authorises those decisions? Who are access levels removed when no longer needed? How often are access levels reviewed?
  • Retention periods were too long – “The retention policies are consistent across systems and do not refer to the specific type of data in question”. So there was no consideration of individual categories of personal data and how long each one is genuinely required to be retained for e.g. expired passport numbers. Over-retention of personal data is often highlighted following an information security breach and will exacerbate any enforcement action.

This case also demonstrates that there is still a backlog of Data Protection Act 1998 enforcement cases to be cleared before they can fully turn their attention to GDPR issues, even nearly two years on.

Want to know more about recent enforcement actions in Europe? Read here…