ICO hits booking agent with £150,000 fine for data breach

The Information Commissioners Office has shown it is still keen to penalise those that are lax with data after fining a booking agent

Essential Travel, a booking agent for airport car parking and travel insurance has been slapped with a £150,000 fine by the Information Commissioner’s Office (ICO) following a serious breach of its systems in which over 1,100,000 credit and debit card details were hacked.

Think W3, which owns Essential Travel and operates its website discovered the breach on Christmas Eve 2012. The attacker made off with the personal card details of over 430,000 people including names, addresses, phone numbers, and email addresses.

Luckily for the card owners, card CVV details were not stored in the database. A further 733,000 card details were also taken though these cards had expired. Cardholder data had not been deleted from the database since 2006.

The company had developed a system for internal use which was installed on its main e-commerce platform. Website login page coding, used by staff working from home, contained a coding error. Security checks such as penetration tests or internal scans weren’t carried out. 

The coding error on the website login page was exploited by a hacker so the authentication process could be bypassed to gain access to the admin interface and ultimately the database containing customer details.

The ICO said: “...the contravention of the... data protection principle is very serious and... the imposition of a monetary penalty in the sum of £150,000 is reasonable and proportionate...”

Ironically, Essential Parking was planning on implementing a token-based security system when the breach happened. The system was speedily implemented following the hack.

Read more on Data Protection Services