The UK Information Commissioner’s Office (ICO) has imposed a fine of £150,000 on Think W3 Limited, an online travel services company, for failing to implement adequate security measures for customers’ personal information. In December 2012, a hacker used a decryption key that had not been securely stored on the company’s web server to access the customer database of its subsidiary Essential Travel Ltd. The hacker extracted over one million credit and debit card records and accessed customers’ names, home addresses, phone numbers, and email addresses. Think W3 had not deleted this data from the server since 2006, had not done penetration and vulnerability tests of the Essential Travel website, and had failed to check and maintain the security of the website login coding after its 2006 implementation. Accordingly, the ICO determined that, as the data controller for Essential Travel, Think W3 was in “serious contravention of the Seventh Data Protection Principle” of the Data Protection Act 1998, which states that “[a]ppropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data” by entities working in the UK.