Cathay Pacific Airways Fined Over Long-Running Breach
UK Information Commissioner Fines Cathay Pacific $646,000 Over Long-Running Breach
The UK Information Commissioner’s Office (ICO) announced Wednesday that it has fined Hong Kong based Cathay Pacific Airways Ltd the maximum possible £500,000 ($646,000) following a long-running breach that occurred between October 2014 and May 2018.
The current UK Data Protection Act 2018 came into force 12 days after the breach was remedied on May 23, 2018. Had the DPA 2018 been in force during the breach, and had the maximum fine possible been levied, and had Cathay Pacific’s revenue been similar to 2016’s $10 billion, then the fine could potentially have been as much as $400 million (4% of revenue). However, it is worth noting that the Cathay Pacific fine is considerably more than the ICO GDPR fine of $230 million against British Airways for its breach in 2018.
The ICO’s Notice of Monetary Penalty (PDF) describes two separate groups that breached the airline’s systems. They were discovered during an investigation following “a brute force attack against its Active Directory database”. It seems likely this was a third attacker.
It isn’t known how one of the groups got into Cathay Pacific. The other, however, apparently entered via an internet-facing server, moved laterally, installed malware and harvested credentials from 10 August 2017. The earliest known unauthorized access was 15 October 2014, and the earliest unauthorized access to personal data was 2 July 2015.
The breach was extensive, with 9.4 million data subjects being affected worldwide. Of these, only 111,578 were UK subjects. However, the number of subjects involved is less important than the type of data stolen (that is, data ‘likely to cause substantial damage or distress’), and the quality of security controls in place with the affected company.
The personal data stolen includes passenger names, nationalities, dates of birth, phone numbers, email addresses, postal addresses, passport and identity card numbers, frequent flyer membership numbers, customer service remarks and historical travel information. Although there have been no substantiated abuses of this data to date, the ICO comments, “it is likely that social engineering phishing attack against those data subjects will be successful in the future.”
However, it is the failure of having or using adequate security controls that really stands out in this case. Firstly, the database backups were not encrypted. Cathay Pacific claims it was because of a data migration; but that migration must either have been in progress for the entire three years of the breach, or the company knows when the database was accessed. Unfortunately, Cathay Pacific could not provide full information to the ICO because some of the servers were decommissioned following the airline’s own forensic analysis. This is contrary to best practice in the preservation of digital evidence.
Despite the lack of full knowledge, the ICO was able to list a range (in its statement, the ICO calls it a ‘catalogue’) of data security errors, including files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported; and inadequate anti-malware protection. Additional issues included too long between penetration tests, inadequate privileged account management, retention of data beyond what is necessary (itself a failing under the DPA 2018 and the GDPR), and no evidence of server hardening.
“This breach,” said Steve Eckersley, ICO director of investigations, “was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”
However, the ICO did find that the failings were negligent rather than deliberate. In many cases, the airline had adequate security policies that simply weren’t followed. “Cathay Pacific did have in place a wide array of proactive security measures and policies at the time of the attack,” says the ICO Penalty Notice. “However, it failed to effectively manage those solutions, or to adhere to its own policies.” This criticism is aggravated by the quantity and nature of the personal data controlled and processed by the airline.
“If appropriate steps had instead been taken,” adds the Notice, “they could have prevented or limited the scope or impact of the data breach, and/or ensured that the breach could have been detected and remedied sooner.”
The key elements of this incident are the dwell time of the attackers before discovery (more than 3 years, and it might have been longer were it not for an apparently unrelated brute force attack against Active Directory), and the failure of policies. The dwell time could possibly have been limited with threat hunting solutions installed. The failure of policies, however, is a failure of management.
Cesar Cerrudo, CTO at IOActive, comments on this. “Companies can’t afford to stick their heads in the sand and ignore cyber security any longer. It’s absolutely vital to exercise good security hygiene, prioritize data protection and keep cyber resiliency in mind. This means looking at their processes from end-to-end, considering how devices and systems are being used, connected and who is using them, to truly get a strong gauge of their cybersecurity posture.”