Cathay Pacific fined £500,000 by ICO

The Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways £500,000 for failing to protect customers’ personal data. — BBC

International airline Cathay Pacific, based in the UK, was issued a
£500,000 fine by the Information Commissioner’s Office (ICO) for a data
breach that occurred continuously between October 2014 and May 2018.

(The £500,000 fine Cathay Pacific is facing is the maximum possible under the Data Protection Act 1998)

*Refer to the ICO’s monetary penalty notice to Cathay Pacific

  • How many people are affected?

       111,578 UK residents and a further 9.4 million people from other countries.

  • What information has been breached?
    names, passport details, dates of birth, phone numbers, addresses and travel history.

The ICO said Cathay Pacific became aware of a problem in March 2018, when it suffered a “brute force” password-guessing attack.

  • What is a “brute force” attack?
    The “brute force” attack is a terminology of cryptography.
    A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker
    systematically checks all possible passwords and passphrases until the
    correct one is found. Alternatively, the attacker can attempt to guess
    the key which is typically created from the password using a key derivation function.

    It is known as an exhaustive key search.