ICO Fines Travel Company £150,000 Over Data Breach

The Information Commissioner’s Office (ICO) has hit a UK-based online travel agency with a £150,000 fine over a “serious” breach of the Data Protection Act.

Essential Travel, a subsidiary of Think W3 Limited (TW3), was hacked in 2012, with the attackers getting their hands on more than a million decrypted debit and credit card records, in addition to other customer data.

ICO said the incident was caused by inadequate security measures on Essential Travel website. The company provides travel insurance, airport parking and hotel bookings.

“The public’s awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage,” said Stephen Eckersley, head of Enforcement at the ICO.

What pen-test?

In accordance with the Data Protection Act, TW3, itself a subsidiary of Thomas Cook, is classified as a ‘data controller’ responsible for the protection of all personal data entrusted to it by its customers.

In 2006, the company developed an internal car parking system for Essential Travel, and installed it on the server which was running the main e-commerce platform.

ICO explains that in order to facilitate home working, the parking system could be accessed via a login page on a non-customer facing website which was publicly available online. It turns out this page contained a script vulnerability which remained undetected for six years.

The parking system was compromised in December 2012 using an SQL injection technique, which gave the attacker access to the e-commerce platform. In the aftermath, it emerged that Essential Travel had kept cardholder details from as far back as 2006, and there had been no security checks or reviews since the system had been installed.

This allowed the attacker to steal a total of 1,163,996 credit and debit card records, including 430,599 current and 733,397 expired datasets.

And here’s the worst part: while some of this data was encrypted, the decryption key was stored on the same server and could be easily accessed. As a result the attacker got their hands on card numbers and expiration dates, but also customer names, surnames, addresses, phone numbers and emails. The only types of data that remained safe were CVV numbers.

“This was a staggering lapse that left more than a million holiday makers’ personal details exposed to a malicious hacker,” said Eckersley.

“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.”

Last week, information commissioner Christopher Graham reported that the watchdog had to deal with a record number of complaints and investigations in the past financial year. He warned that ICO was losing access to the funding it needs to continue its vital work, and asked for more powers to enforce data regulation.

Are you a watchdog watcher? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

8 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

11 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

13 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

1 day ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

1 day ago