The Information Commissioner’s Office (ICO) has fined an online travel company called Think W3 £150,000, after a hacker accessed credit card details due to a coding error on its website.
The hacker was able to retrieve data as far back as 2006, as the system had never been updated, and the ICO report on the case also found that the system used was never subject to any post-build testing.
“The data controller did not subject the web server to appropriate penetration test or internal vulnerability scans and checks, which took place on other servers on the basis that the website and web server were not external facing,” it said.
“However the website (and therefore the associated system and web server) could still be discovered and accessed over the internet by anyone with sufficient technical knowledge.”
This happened on 21 December 2012, when the hacker uncovered a coding error in the website and used an SQL injection to log in to the administrators’ interface, the report explained.
The hack was discovered on Christmas Eve, just three days later, when the data controller at Think W3 performed a routine server check that threw up a notification from some antivirus software installed on the server.
By this time, though, the hacker had accessed 1,163,996 credit and debit card records. Of these 430,599 were identified as current and 733,397 as expired.
Stephen Eckersley, head of enforcement, said the incident was a “staggering lapse” in security and underlined the fact firms of shape and size must take the issue of data protection seriously.
“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information,” he said.
The owner of Think W3 at the time of the incident, Thomas Cook Group, said it would pay the fine and claimed no customers were affected by the incident.
"No customers have suffered any loss as a result of the breach which our security systems detected immediately. The Essential Travel [a subsidiary of Think W3] computer system that was breached was a legacy system used by Think W3 Ltd/Essential Travel and is not used by any other part of the Thomas Cook Group."
Jon Knowles, head of Information Security at Thomas Cook, added: "We take customer data security very seriously and are proud of the exemplary way our teams dealt with this issue to avoid any possible impact on our customers."
The current owners of Think W3, Holiday Extras, also moved to reassure customers there details remain safe. Matthew Pack, CEO of Holiday Extras, said: “We acquired Essential Travel [a brand of Think W3] on 24 January 2014, at which point all payment processing migrated to the main Holiday Extras system.
"Security of customer data is one of our top priorities and we continue to invest significantly in this area to ensure customer peace of mind.”
The fine comes after the ICO urged the government to give it more funding to help it deal with its ever-growing case load as data breaches continue to plague businesses, councils and other organisations, despite the threat of heavy fines.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago