The monetary penalty notice issued by the Information Commissioner’s Office identified 12 failings in Cathay Pacific’s security measures. I have extracted these as a simple list and suggest that all organisations check for similar issues:

  1. Database back-ups not encrypted.
  2. An internet-facing server was accessible due to a known and publicised vulnerability. Both the vulnerability and the fix had been public knowledge for around 10 years.
  3.  The administrator console was publicly available on the internet.
  4.  One system was hosted on an operating system that was no longer supported.
  5.  There was no evidence of adequate server hardening (a process for removing unnecessary features to minimise attack points).
  6. Network users were permitted to authenticate past the VPN without multifactor authentication.
  7. Anti-virus protection was  inadequate.
  8. Patch management was inadequate.
  9.  Accounts were given inappropriate privileges.
  10.  Penetration testing was inadequate.
  11.  Retention periods were too long.
  12.  There was a failure to manage security solutions which it did have in place or to adhere to its own policies.

 


You might also be interested in::
  1. ICO publishes Draft Guidance on the AI Auditing Framework This draft guidance relating to applications of artificial intelligence has recently been published for consultation....
  2. Change to Data Protection Law A recent and significant change to data protection law seems to have gone under the...
  3. ICO Guidance on Special Category Data – 5 Points of Note The new ICO Guidance on Special Category Data was published on Thursday 14th November 2019....
data protection breach Data Protection Law