Cathay Pacific passenger data breach
A multi-year intrusion into Cathay Pacific's IT systems exposed the personal data of 9.4 million passengers worldwide, including passport and ID numbers, earning the airline the UK ICO's maximum £500,000 pre-GDPR fine.
- Victim
- Cathay Pacific Airways
- Loss
- $645.0K
- records
- 9.4M
- users
- 9.4M
On 24 October 2018, Cathay Pacific Airways, Hong Kong's flag carrier, disclosed that attackers had accessed the personal data of 9.4 million passengers worldwide. Investigation later revealed the intrusion had persisted undetected for over three and a half years, from October 2014 until May 2018 — one of the longest dwell times ever recorded in a major airline breach.
What happened
Attackers gained access to Cathay Pacific's IT systems as early as October 2014. The airline only noticed something was wrong in March 2018, after detecting suspicious activity following a brute-force password-guessing attack. By then, the intruders had had years of access to passenger records.
When the UK's Information Commissioner's Office (ICO) later investigated, it found what commentators called a "catalogue of errors." The deficiencies included:
- Database backups that were not password-protected
- Internet-facing servers left unpatched against known vulnerabilities
- Operating systems no longer supported by their developers
- Inadequate anti-virus protection
These basic failings gave attackers easy, persistent access to sensitive data.
Impact
- 9.4 million passengers worldwide had data exposed, including 233,234 in the EEA and 111,578 in the UK.
- Compromised fields included names, nationalities, dates of birth, phone numbers, email and postal addresses, passport and identity-card numbers, frequent-flyer numbers, customer-service remarks, and historical travel information.
- The ICO issued its maximum £500,000 fine under the pre-GDPR Data Protection Act 1998.
A near-miss with GDPR
The timing was pivotal. Because the breach predated the 25 May 2018 start of GDPR enforcement, the ICO was capped at £500,000. Had the breach continued just a few weeks longer under GDPR, Cathay Pacific could have faced a penalty of up to 4% of global annual turnover — an estimated £470 million. The case became a textbook illustration of how dramatically the regulatory stakes had shifted.
Why it matters
Cathay Pacific stands as a defining lesson in the cost of neglecting security fundamentals: unpatched servers, unprotected backups, and end-of-life software allowed a multi-year compromise of one of Asia's most prominent airlines. It also crystallised the GDPR inflection point for boards worldwide — the same incident occurring weeks later would have carried a fine nearly a thousand times larger, making the breach a cautionary tale told in every data-protection briefing since.
Timeline
Attackers begin accessing Cathay Pacific IT systems; the unauthorized access continues undetected for years.
Cathay Pacific detects suspicious activity following a brute-force password attack and launches an investigation.
The last known unauthorized access to the affected systems occurs.
Cathay Pacific publicly discloses that 9.4 million passengers' personal data was compromised.
The UK ICO issues a Monetary Penalty Notice fining Cathay Pacific £500,000, the maximum under the Data Protection Act 1998.
The ICO publicly announces the £500,000 penalty for the airline's security failings.
Sources
- computerweekly.comhttps://www.computerweekly.com/news/252479582/Cathay-Pacific-hit-with-500000-data-protection-fine-from-ICO-over-2018-breach
- sophos.comhttps://www.sophos.com/en-us/blog/cathay-pacific-fined-over-crooks-slurping-its-database-for-over-4-years
- hunton.comhttps://www.hunton.com/privacy-and-information-security-law/ico-fines-international-airline-cathay-pacific-gbp-500000-maximum-available-for-failing-to-secure-customers-personal-data
- bitdefender.comhttps://www.bitdefender.com/en-us/blog/hotforsecurity/cathay-pacific-slammed-for-security-failures-following-hack-which-exposed-9-4-million-people-worldwide