The Information Commissioner’s Office (ICO) has fined online travel services company Think W3 Limited £150,000 following a data protection breach arising from insecure"coding" on the website of their subsidiary business Essential Travel Limited.
The travel firm was hacked in December 2012, resulting in a total of 1,163,996 credit and debit card records of customers being extracted. Of those records extracted, 430,599 were identified as current details and 733,397 had expired.
The privacy watchdogs at the ICO stated that "cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed".
Stephen Eckersley, Head of Enforcement at the ICO, noted that the actions of Think W3 Limited were a "staggering lapse that left more than a million holidaymakers’ sensitive personal details exposed to a malicious hacker.
“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers' personal data secure, failing to test their security and failing to delete out-of-date information."
The Data Protection Act 1998 obligates organisations not to hold personal data for longer than is necessary and to undertake regular checks to ensure that the data held is up to date and accurate.
If Think W3 Limited had acted in accordance with these obligations, it is likely that the 700,000 plus individuals whose details had expired and any details that were no longer required would not have been on the travel firm’s system at the time of the hacking.