The monetary penalty notice issued by the Information Commissioner’s Office identified 12 failings in Cathay Pacific’s security measures. I have extracted these as a simple list and suggest that all organisations check for similar issues:

  1. Database back-ups not encrypted.
  2. An internet-facing server was accessible due to a known and publicised vulnerability. Both the vulnerability and the fix had been public knowledge for around 10 years.
  3.  The administrator console was publicly available on the internet.
  4.  One system was hosted on an operating system that was no longer supported.
  5.  There was no evidence of adequate server hardening (a process for removing unnecessary features to minimise attack points).
  6. Network users were permitted to authenticate past the VPN without multifactor authentication.
  7. Anti-virus protection was  inadequate.
  8. Patch management was inadequate.
  9.  Accounts were given inappropriate privileges.
  10.  Penetration testing was inadequate.
  11.  Retention periods were too long.
  12.  There was a failure to manage security solutions which it did have in place or to adhere to its own policies.