Cathay Pacific data breach fine highlights why businesses must take data security seriously

March 17, 2020

Data security is something that most organisations would claim publicly to take extremely seriously. New regulation such as the European Union’s (EU) General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have helped ensure that customer data privacy and security are higher on the corporate agenda than ever.

Organisations have seen the size of the fines for non-compliance with GDPR (and the size of the companies that are being fined) and also noted the potential size of CCPA fines for later in 2020. They are including such regulatory compliance in their operational risk management strategies and investing in risk management software to help mitigate this risk.

They are also keen to avoid the brand damage that comes with being cited as an organisation that doesn’t look after its customers’ data – once that reputation has stuck it can be hard to get rid of.

But despite this, are businesses still not taking data security as seriously as they should be? Is it something that organisations are only paying lip service to? A recent fine for international airline Cathay Pacific would suggest that businesses have a long way to go when it comes to securing customer data.

Cathay Pacific and ‘a catalogue of errors’

The fine for Cathay Pacific – a relatively modest figure of £500,000, certainly in comparison with some of the bigger GDPR penalties – related to an on-going data breach that took place between October 2014 and May 2018.

The Information Commissioner’s Office (ICO) – the UK data protection authority – found ‘a catalogue of errors’ in how the airline handled cybersecurity, asCathay Pacific’s computer systems lacked the security measures to prevent customer details being exposed.

Around 9.5 million customers worldwide suffered as a result of the breach, with a failure to secure systems meaning personal details such as names, passport and identity details, dates of birth, postal and email addresses, phone numbers, and historical travel information, were all breached.

The ICO said that backups were not password-protected or encrypted and internet-facing servers were left unpatched despite a known vulnerability.Furthermore, there was use of an unsupported operating system and inadequate anti-virus protection. This all points to a lack of seriousness in approach when it comes to data security, and of failing to properly integrate cybersecurity into risk management systems or a broader IT GRC tool.

Cybersecurity as part of an overall operational risk management strategy

Many of the criticisms levelled at Cathay Pacific were cybersecurity failings at a very basic level. Not patching servers with a known vulnerabilityis cybersecurity 101 and not something that you would expect from a smaller company, let alone a large international organisation such as Cathay Pacific.

So, what could have been the cause of such negligence? Cathay Pacific is mostly known as an airline that provides a strong customer experience, so it isn’t a case of consciously disregarding customer needs and expectations. Broadly it most likely falls into two areas:

Failure to properly mitigate cyber risk

most organisations have cybersecurity teams, but cyber-attacks are still not always perceived as a business risk. In 2020, this is patently not the case and cybersecurity risk needs to be fully integrated into risk management systems. Oxial’s ground-breaking IT GRC tool, sGRC, adopts this approach, including cyber-attacks as a fully-fledged business risk and deploying risk mapping to predict their impact.

Lacking the expertise and know-how around data security

hackers are more professional and organised than ever, which makes it harder for organisations to stay on top of defending itself against them. Oxial’s GRC software will not only keep users abreast of day-to-day risks – such as the need to patch servers with known vulnerabilities – but we also work with a variety of the industry’s best partners. These have a deep understanding of what is required to meet compliance regulation and what organisations need to do to ensure their cybersecurity is as effective as it possibly can be.

In fairness, Cathay Pacific has stated that it had already taken measures to enhance its IT security in areas such as data governance, network security and access control, education and employee awareness, and incident response agility.

This would suggest that the message about taking data security more seriously has been noted and by integrating cybersecurity into operational risk management strategies more effectively, this will go a long way in helping to prevent similar incidents happening again in the future.

But with the fines for such data breaches growing bigger each year, can your organisation really afford to risk being lax with data security? If you think that you could benefit from Oxial’s technology and expertise in all matters relating to cybersecurity and operational risk management, then either look at some of our case studies or get in touch with us here to discuss your own requirements.