Data breach at online travel firm nets £150k fine from ICO
Think W3 Ltd has been ordered to cough up after more than 1.5 million credit card details were stolen by hackers
An online travel services company has been hit with a data breach fine of 150,000 after hackers plundered the details of more than 1.5 million customers' credit cards.
The Information Commissioner's Office (ICO) hit Think W3 Ltd with the penalty after one of its subsidiaries, Essential Travel, had its website hacked, resulting in 1,163,996 customer credit card details being stolen.
Of these details, 430,599 were identified as currently in-use credit cards, while the remainder were found to have expired.
Following an investigation by the ICO, it emerged that no cardholder data had been deleted from the server since 2006.
According to the data protection watchdog, the hacker was able to access the data by exploiting a coding error vulnerability on the website's login page.
From here, the perpetrator was able to lift credit card details, customer names, addresses, mobile numbers and email addresses.
The breach was uncovered on 24 December 2012, and the ICO has now ruled that the company failed to take the necessary technical measures to keep its customer data safe, and has fined it accordingly.
Stephen Eckersley, head of enforcement at the ICO, described the events that led to the hacker lifting the firm's customer details as a "staggering lapse" in judgement.
"Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers' personal data secure; failing to test their security and failing to delete out-of-date information," he said.
"The public's awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage."
In a statement to IT Pro, Holiday Extras, which acquired the Think W3/Essential Travel brand from Thomas Cook in 24 January 2014, said it wanted to assure its "past and present" customers that data security is a top priority for the firm.
Matthew Pack, CEO Of Holiday Extras, said in a statement: "We acquired Essential Travel on 24 January 2014, at which point all payment processing migrated to the main Holidays Extra system.
"Security of customer data is one of our top priorities and we continue to invest significantly in this area to ensure customer peace of mind."
IT Pro contacted Thomas Cook for comment on this story, and the company confirmed it will pay the fine even though it no longer owns either entity.
"As the breach occured while Think W3 Ltd/Essential Travel was part of the Thomas Cook Group, we will make the payment on behalf of Holiday Extras against this monetary penalty," the company said in a statement.
"The Essential Travel computer system that was breached was a legacy system used by Think W3 Ltd/Essential Travel and is not used by any other part of the Thomas Cook Group," it added.
Accelerating AI modernisation with data infrastructure
Generate business value from your AI initiativesFree Download
Recommendations for managing AI risks
Integrate your external AI tool findings into your broader security programsFree Download
Modernise your legacy databases in the cloud
An introduction to cloud databasesFree Download
The state of brand protection 2021
A new front opens up in the war for brand safetyFree download