UK Travel Company Breach Leads to Fine
Website Vulnerability Exposed 1 Million Card AccountsA December 2012 data breach at a British online travel services company has led to a £150,000 penalty from the U.K. Information Commissioner's Office.
See Also: OnDemand | Realities of Choosing a Response Provider
Think W3 Limited was hit with the fine following a December 2012 breach that stemmed from insecure coding on the website of one of its subsidiary businesses, Essential Travel Ltd., the ICO says. A cybercriminal was able to extract more than 1.1 million credit and debit card numbers. Other compromised information included customer names, card expiration dates, addresses, postal codes, mobile and home phone numbers and e-mail addresses, the ICO says.
The records compromised included more than 430,000 card numbers that were current and 733,000 that were expired, the ICO says. The ICO's investigation found that cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the third-party system had been installed.
"Data security should be a top priority for any business that operates online," says Stephen Eckersley, head of enforcement at the ICO. "Think W3 Limited accepted liability for failing to keep their customers' personal data secure, failing to test their security and failing to delete out-of-date information."