The monetary penalty notice issued by the Information Commissioner’s Office identified 12 failings in Cathay Pacific’s security measures. I have extracted these as a simple list and suggest that all organisations check for similar issues:
- Database back-ups not encrypted.
- An internet-facing server was accessible due to a known and publicised vulnerability. Both the vulnerability and the fix had been public knowledge for around 10 years.
- The administrator console was publicly available on the internet.
- One system was hosted on an operating system that was no longer supported.
- There was no evidence of adequate server hardening (a process for removing unnecessary features to minimise attack points).
- Network users were permitted to authenticate past the VPN without multifactor authentication.
- Anti-virus protection was inadequate.
- Patch management was inadequate.
- Accounts were given inappropriate privileges.
- Penetration testing was inadequate.
- Retention periods were too long.
- There was a failure to manage security solutions which it did have in place or to adhere to its own policies.
You might also be interested in::
- ICO publishes Draft Guidance on the AI Auditing Framework This draft guidance relating to applications of artificial intelligence has recently been published for consultation....
- Change to Data Protection Law A recent and significant change to data protection law seems to have gone under the...
- ICO Guidance on Special Category Data – 5 Points of Note The new ICO Guidance on Special Category Data was published on Thursday 14th November 2019....
Share this
