• by Sean Hargrave , Staff Writer, March 6, 2020

It may sound like a rude move that could see marketers overstep the mark with IT, but as Cathay Pacific gets away with just a GBP500,000 fine from the ICO for laughably bad data security, brand custodians need to know customer data is in safe hands.

The same goes for Virgin Media, which has had to admit leaving 900,000 customer records on an unprotected database. Luckily for the telecoms brand, it appears the list was not hacked, but the problem was discovered by a security researcher. Even so, the incident is now in the hands of the ICO, and customers will draw their own conclusions on how highly Virgin Media regards their privacy.

It's not really in the DNA of the average marketer to question IT, but when you see what happened with Cathay Pacific, you cannot help but think the office intern with a City and Guilds qualification could have done a better job at protecting data. At Virgin Media, they may as well have left it to the office cleaners because, literally, nobody bothered to secure the marketing database in question.

Regular readers of this column will know I have always predicted the big GDPR fines will come through IT security issues rather than a few people still getting emails after they'd hit "unsubscribe." BA and Marriott have been the proof of this so far in the UK, with eye-opening fines for being lax with security.

Cathay Pacific can count itself very lucky that its issue, which saw more than nine million customer records lost to hackers, happened before GDPR became law. Had the breach occurred under the new regulation, the fine would likely have been in the tens of millions of pounds.

Virgin Media will have to wait to see whether the ICO cuts it a break because there was no breach. It's unlikely they will get off completely free because GDPR does require personal information is protected which, clearly, it wasn't in this case.

The ICO is usually very restrained, but it could not help but hit out at the woeful lack of security deployed by Cathay Pacific. We're not talking about a brand being the victim of incredibly skilled hackers here. We're on the level of incompetence. 

Which brings us to the four questions marketers should ask, which are effectively the four ridiculously simple gaffes the airlines IT security team made.

1. Are backup files protected? You'd be surprised to hear they weren't at Cathay Pacific.

2. Are our servers patched? Again, you'd be surprised to hear Cathay Pacific had not installed patches to deal with well-known vulnerabilities. 

3. Are our systems supported? Surprise time again. Cathay Pacific was using software that was no longer supported by the original vendor. 

4. Is our anti-virus up to date? Yes, we really are at that level of incompetence at Cathay Pacific. 

Important questions such as these need to be raised by marketing, because no other part of an organisation is tasked with having the customer's proverbial back. No part of a business is seen as the guardian of its brand. No other part of a business will be held responsible for customer's churning to rival organisations who take their privacy and data security more seriously.