Data breach at online travel firm nets £150k fine from ICO

Password login page

An online travel services company has been hit with a data breach fine of 150,000 after hackers plundered the details of more than 1.5 million customers' credit cards.

The Information Commissioner's Office (ICO) hit Think W3 Ltd with the penalty after one of its subsidiaries, Essential Travel, had its website hacked, resulting in 1,163,996 customer credit card details being stolen.

Of these details, 430,599 were identified as currently in-use credit cards, while the remainder were found to have expired.

Following an investigation by the ICO, it emerged that no cardholder data had been deleted from the server since 2006.

According to the data protection watchdog, the hacker was able to access the data by exploiting a coding error vulnerability on the website's login page.

From here, the perpetrator was able to lift credit card details, customer names, addresses, mobile numbers and email addresses.

The breach was uncovered on 24 December 2012, and the ICO has now ruled that the company failed to take the necessary technical measures to keep its customer data safe, and has fined it accordingly.

Stephen Eckersley, head of enforcement at the ICO, described the events that led to the hacker lifting the firm's customer details as a "staggering lapse" in judgement.

"Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers' personal data secure; failing to test their security and failing to delete out-of-date information," he said.

"The public's awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage."

In a statement to IT Pro, Holiday Extras, which acquired the Think W3/Essential Travel brand from Thomas Cook in 24 January 2014, said it wanted to assure its "past and present" customers that data security is a top priority for the firm.

Matthew Pack, CEO Of Holiday Extras, said in a statement: "We acquired Essential Travel on 24 January 2014, at which point all payment processing migrated to the main Holidays Extra system.

"Security of customer data is one of our top priorities and we continue to invest significantly in this area to ensure customer peace of mind."

IT Pro contacted Thomas Cook for comment on this story, and the company confirmed it will pay the fine even though it no longer owns either entity.

"As the breach occured while Think W3 Ltd/Essential Travel was part of the Thomas Cook Group, we will make the payment on behalf of Holiday Extras against this monetary penalty," the company said in a statement.

"The Essential Travel computer system that was breached was a legacy system used by Think W3 Ltd/Essential Travel and is not used by any other part of the Thomas Cook Group," it added.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.