Cathay Pacific Airways has avoided a crippling financial penalty of as much as HK$4.4 billion (US$564 million) under tough European data privacy laws for a 2018 breach, after Britain’s information watchdog fined it a fraction of that sum using older legislation.
The British Information Commissioner’s Office (ICO) announced on Wednesday that Hong Kong’s flagship carrier was to pay a £500,000 (US$639,600) fine, the first financial penalty meted out by any jurisdiction for the data breach, for what it described as a “catalogue of errors”.
Some 9.4 million customers worldwide were affected by the breach, which was publicly disclosed in October 2018, in one of the worst incidents to hit the travel industry at the time.
The original breach occurred in October 2014. The information stolen included names, passport details, dates of birth, travel histories and addresses.
Steve Eckersley, ICO director of investigations, said: “This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers.