Two recent decisions by the UK Information Commissioner’s Office underscore the importance of taking proactive and comprehensive measures to protect customer data, as well as providing a useful comparator between the enforcement tools available to regulators under the old UK Data protection Act 1998 and the current GDPR regime.

The UK Information Commissioner’s Office (ICO) has recently fined Cathay Pacific £500,000 (c. A$1M) following a series of attacks over a number of years that exposed the personal data of over 9.4 million of the airline’s customers. The ICO’s report concluded that Cathay Pacific failed to adequately secure its customers’ personal data, leading to a series of hacks by at least two groups beginning in October 2014. The attacks were only exposed almost four years later.

A central element of the ICO’s rationale for such a large penalty was that Cathay Pacific failed on several grounds to secure its data. These failures included a lack of encryption of Cathay Pacific’s database backups (in contravention of Cathay Pacific’s own internal policies), failure to update its internet-facing server to protect against a known vulnerability, failure to implement multi-factor authentication and allowing the administrator console to be publicly accessible via the internet.

The fine comes in the wake of the ICO taking action last year to fine British Airways for breaches of its obligations under the UK’s Data Protection Act 2018 (which implements the EU’s General Data Protection Regulation (GDPR)). As was the case with Cathay Pacific, part of the British Airways attack involved hackers exploiting a known (and preventable) vulnerability. In BA’s case, vulnerability in third-party JavaScript allowed hackers to redirect BA customers to a fake site which harvested the personal details – including passwords, personal information and credit card details – of half a million customers. British Airways had not updated that particular piece of JavaScript since 2012.

In mid-2019 the ICO announced its intention to fine British Airways an eye-watering £183.4m (c. A$367m) for its failure, equating to approximately 1.5% of BA’s worldwide annual turnover. The enormous difference in the two ICO fines is a function of the enforcement tools now available to the ICO under the new GDPR regime versus those which it previously had at its disposal. Cathay Pacific’s breaches fell subject to the pre-GDPR regime with its much lower maximum fines (despite the larger number of affected users). One would expect that if the Cathay incident was to occur again, the fines would be significantly larger.

The following table summarises some of the key features of the two cases and demonstrates the consequences for companies subject to the GDPR in particular of failing to meet their data security obligations.

These cases are a stark reminder, if one was needed, that organisations can and will be penalised not only for their wrongful or wilful acts, but also for failing to take adequate steps to ensure that all their systems and security protocols are fit-for-purpose.

This principle applies equally in Australia, as the Australian Privacy Principles require that organisations which hold personal information must take reasonable steps to protect information from misuse, interference, unauthorised access and loss. The Office of the Australian Information Commissioner (OAIC) has the ability to seek a Federal Court order that a company or individual which is subject to the Privacy Act 1988 (Cth) be fined for serious or repeated breaches of the Australian Privacy Principles. In a recent example, the OAIC took this action against Facebook recently for privacy breaches related to the 2018 Cambridge Analytica scandal.

More details about the ICO’s action against Cathay Pacific can be found in their press release or the full Monetary Penalty Notice. More details about the ICO’s action against British Airways can be found in their press release.

Authors: Tim Gole, Nikhil Shah, Christopher Ashen