IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Data breach at online travel firm nets £150k fine from ICO

Think W3 Ltd has been ordered to cough up after more than 1.5 million credit card details were stolen by hackers

Password login page

An online travel services company has been hit with a data breach fine of 150,000 after hackers plundered the details of more than 1.5 million customers' credit cards.

The Information Commissioner's Office (ICO) hit Think W3 Ltd with the penalty after one of its subsidiaries, Essential Travel, had its website hacked, resulting in 1,163,996 customer credit card details being stolen.

Of these details, 430,599 were identified as currently in-use credit cards, while the remainder were found to have expired.

Following an investigation by the ICO, it emerged that no cardholder data had been deleted from the server since 2006.  

According to the data protection watchdog, the hacker was able to access the data by exploiting a coding error vulnerability on the website's login page.

From here, the perpetrator was able to lift credit card details, customer names, addresses, mobile numbers and email addresses.

The breach was uncovered on 24 December 2012, and the ICO has now ruled that the company failed to take the necessary technical measures to keep its customer data safe, and has fined it accordingly.  

Stephen Eckersley, head of enforcement at the ICO, described the events that led to the hacker lifting the firm's customer details as a "staggering lapse" in judgement.

 "Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers' personal data secure; failing to test their security and failing to delete out-of-date information," he said.

"The public's awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage."

In a statement to IT Pro, Holiday Extras, which acquired the Think W3/Essential Travel brand from Thomas Cook in 24 January 2014, said it wanted to assure its "past and present" customers that data security is a top priority for the firm.

Matthew Pack, CEO Of Holiday Extras, said in a statement: "We acquired Essential Travel on 24 January 2014, at which point all payment processing migrated to the main Holidays Extra system.

"Security of customer data is one of our top priorities and we continue to invest significantly in this area to ensure customer peace of mind."

IT Pro contacted Thomas Cook for comment on this story, and the company confirmed it will pay the fine even though it no longer owns either entity. 

"As the breach occured while Think W3 Ltd/Essential Travel was part of the Thomas Cook Group, we will make the payment on behalf of Holiday Extras against this monetary penalty," the company said in a statement.

"The Essential Travel computer system that was breached was a legacy system used by Think W3 Ltd/Essential Travel and is not used by any other part of the Thomas Cook Group," it added.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

The state of brand protection 2021

A new front opens up in the war for brand safety

Free download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Attracting and retaining talent through training

Attracting and retaining talent through training

13 Jun 2022