ICO slaps online travel firm with £150,000 penalty

The ICO has issued a monetary penalty of £150,000 to an online travel firm for failing to protect customer data

The Information Commissioner’s Office (ICO) has issued a monetary penalty of £150,000 to online travel services firm Think W3 Limited for exposing more than a million customer records to a hacker.

The company was hacked in December 2012 after using insecure coding on the website of a subsidiary business, Essential Travel Ltd.

The hacker was able to copy 1,163,996 credit and debit card records. Of these records 430,599 were identified as current and 733,397 as expired.

Cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed.

“This was a staggering lapse that left more than a million holiday makers’ sensitive personal details exposed to a malicious hacker,” said Stephen Eckersley, head of enforcement at the ICO.

“Data security should be a top priority for any business that operates online,” he said.

Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.

“The public’s awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse,” said Eckersley.

“They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage,” he said.

Stephen Bonner, partner in information protection and business resilience at KPMG, recently told Computer Weekly that privacy could be the key to opportunity and success for UK firms.

“In a flat, global network where e-commerce can be delivered anywhere in the world, striking that right balance of fair, but firm regulation is what provides a competitive advantage for countries,” said Bonner.

Just as London created a liberal, but safe environment for investors in the finance world, he said the UK should seek to enable freedom to innovate online, but at the same time provide protections for customers.

“This will give the UK an interesting ability to compete globally, especially as US-based internet firms are losing global customers because of concerns over surveillance by the state,” said Bonner.

Read more on the ICO


Read more on Privacy and data protection