Security News > 2020 > March > Cathay Pacific fined over crooks slurping its database for over 4 years
The UK's Information Commissioner's Office said on Wednesday that it's fined Cathay Pacific Airways £500,000 for failing to secure passengers' personal details, leading to malware being installed on its server that harvested millions of people's names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.
Once it found that its database had been rifled through in 2018, Cathay Pacific hired a cybersecurity firm and subsequently reported the incident to the ICO. Investigations found that the airline lacked appropriate security to secure customers' data from October 2014 to May 2018.
As the New York Times reported, Cathay learned in May 2018 that passenger data had been exposed after first discovering suspicious activity on its network in March.
The ICO says that Cathay Pacific's systems were entered via a server connected to the internet.
Marriott's breach was similar to Cathay Pacific's, given that attackers got into the company's Starwood guest reservation database and stayed there for years: the unauthorized access started in 2014, and the breach was discovered and reported to the ICO in November 2018.