ICO Fines Travel Company £150,000 Over Data Breach

The Information Commissioner’s Office (ICO) has hit a UK-based online travel agency with a £150,000 fine over a “serious” breach of the Data Protection Act.

Essential Travel, a subsidiary of Think W3 Limited (TW3), was hacked in 2012, with the attackers getting their hands on more than a million decrypted debit and credit card records, in addition to other customer data.

ICO said the incident was caused by inadequate security measures on Essential Travel website. The company provides travel insurance, airport parking and hotel bookings.

“The public’s awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage,” said Stephen Eckersley, head of Enforcement at the ICO.

What pen-test?

In accordance with the Data Protection Act, TW3, itself a subsidiary of Thomas Cook, is classified as a ‘data controller’ responsible for the protection of all personal data entrusted to it by its customers.

In 2006, the company developed an internal car parking system for Essential Travel, and installed it on the server which was running the main e-commerce platform.

ICO explains that in order to facilitate home working, the parking system could be accessed via a login page on a non-customer facing website which was publicly available online. It turns out this page contained a script vulnerability which remained undetected for six years.

The parking system was compromised in December 2012 using an SQL injection technique, which gave the attacker access to the e-commerce platform. In the aftermath, it emerged that Essential Travel had kept cardholder details from as far back as 2006, and there had been no security checks or reviews since the system had been installed.

This allowed the attacker to steal a total of 1,163,996 credit and debit card records, including 430,599 current and 733,397 expired datasets.

And here’s the worst part: while some of this data was encrypted, the decryption key was stored on the same server and could be easily accessed. As a result the attacker got their hands on card numbers and expiration dates, but also customer names, surnames, addresses, phone numbers and emails. The only types of data that remained safe were CVV numbers.

“This was a staggering lapse that left more than a million holiday makers’ personal details exposed to a malicious hacker,” said Eckersley.

“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.”

Last week, information commissioner Christopher Graham reported that the watchdog had to deal with a record number of complaints and investigations in the past financial year. He warned that ICO was losing access to the funding it needs to continue its vital work, and asked for more powers to enforce data regulation.

Are you a watchdog watcher? Take our quiz!