top of page

News & Views

Cathay Pacific fined

Cathay Pacific Airways has been fined £500,000 by the Information Commissioner’s Office (ICO) for failing to protect customers’ personal data.

Globally, some 9.4 million customer (of which 111,578 were from the UK), had their data exposed after security lapses at the Airline.

Commenting on the news, Jake Olcott, VP Government Affairs at BitSight (, the leader in Security Ratings and cybersecurity risk says, “This fine once again highlights that boards are accountable for strong cybersecurity performance, regardless of the monetary penalty; they must manage it in a similar way to any other critical business issue.  Poor performance leads to breaches, fines, and legal liability.  Therefore, when it comes to cybersecurity, ongoing briefings, regular reporting, and performance metrics are no longer nice to have – they are required.”

“News that Cathay Pacific is set to be fined £500,000 over a data breach that led the exposure of 9.4 million customer details brings into stark focus the severity with which the Information Commissioner’s Office (ICO) is addressing data compliance.  The fine is the maximum possible under the Data Protection Act 1998, which was used instead of the newer GDPR ‘due to the timing of the incidents in this investigation’,” added Tony Pepper, CEO of Egress (

“Had this been under GDPR, Cathay Pacific could have been hit with a mammoth £470 million, approximately 4% of its annual global turnover – dwarfing the fines handed out to BA (£183 million) and Marriott (£99.2 million).

“This acts as yet another wake-up call to organizations not taking data protection seriously.  GDPR demands compliance from businesses of all sizes and they need to take all necessary steps towards protecting data.  This means adopting a comprehensive layered approach to data security which enables users to protect sensitive information in a simple and easy-to-use way.  At a time when phishing and other cyberattacks are becoming much more prevalent, it has never been more important to analyse the best way to mitigate the risks of data breaches,” says Pepper.

The Cathay Pacific data breach saw the exposure of customers’ names, passport details, dates of birth, phone numbers, addresses and travel history.


bottom of page