ICO slaps online travel firm with £150,000 penalty

The Information Commissioner’s Office (ICO) has issued a monetary penalty of £150,000 to online travel services firm Think W3 Limited for exposing more than a million customer records to a hacker.

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

The company was hacked in December 2012 after using insecure coding on the website of a subsidiary business, Essential Travel Ltd.

The hacker was able to copy 1,163,996 credit and debit card records. Of these records 430,599 were identified as current and 733,397 as expired.

Cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed.

“This was a staggering lapse that left more than a million holiday makers’ sensitive personal details exposed to a malicious hacker,” said Stephen Eckersley, head of enforcement at the ICO.

“Data security should be a top priority for any business that operates online,” he said.

Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.

“The public’s awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse,” said Eckersley.

“They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage,” he said.

Stephen Bonner, partner in information protection and business resilience at KPMG, recently told Computer Weekly that privacy could be the key to opportunity and success for UK firms.

“In a flat, global network where e-commerce can be delivered anywhere in the world, striking that right balance of fair, but firm regulation is what provides a competitive advantage for countries,” said Bonner.

Just as London created a liberal, but safe environment for investors in the finance world, he said the UK should seek to enable freedom to innovate online, but at the same time provide protections for customers.

“This will give the UK an interesting ability to compete globally, especially as US-based internet firms are losing global customers because of concerns over surveillance by the state,” said Bonner.

Read more on the ICO

• Privacy key to UK business opportunity, says KPMG
• ICO probes Facebook over psychology experiment data protection fears
• Wearable tech must comply with privacy laws, warns ICO
• UK police forces fail to impress in ICO audit
• ICO publishes guide on top IT security failings
• ICO issues data protection warning to users of Windows XP
• ICO updates corporate plan for better data protection
• ICO fines charity £200,000 for data breach
• Infosec 2014: Act now, but no new EU data protection law before 2017, says ICO
• The ICO issues BYOD warning after breach
• ICO denies bias against public sector organisations