The personal details of about 9.4 million people – 111,578 of whom were from the UK – were exposed in cyberattacks during 2018.
Hackers first used a scattergun approach, inputting numerous passwords or phrases in the hope of eventually landing on one that was correct.
Cathay Pacific responded by employing a cybersecurity firm, which reported the incident to the Information Commissioner’s Office (ICO).
The ICO found Cathay Pacific’s systems were entered via an online server to install malware.
It has ruled that between October 2014 and May 2018, the airline’s computer systems were not secure enough, with errors including back-up files not password protected, use of outdated systems and inadequate anti-virus software.
The airline did not satisfy four-fifths of the National Cyber Security Centre’s basic Cyber Essentials guidance, the ICO said, and must now pay a £500,000 fine.
Exposed details included names, passport numbers, dates of birth, postal and email addresses, phone numbers and historical travel information.
“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud,” said Steve Eckersley, ICO director of investigations. “That simply was not the case here.”
ICO said Cathay Pacific issued appropriate information to the people affected and co-operated with the investigation.
A spokesperson from Cathay Pacific apologised for the incident: “The company has already taken measures to enhance its IT security in the areas of data governance, network security and access control, education and employee awareness, and incident response agility.
“Substantial amounts have been spent on IT infrastructure and security over the past three years and investment in these areas will continue.”
