UK Travel Company Breach Leads to Fine

Website Vulnerability Exposed 1 Million Card Accounts
UK Travel Company Breach Leads to Fine

A December 2012 data breach at a British online travel services company has led to a £150,000 penalty from the U.K. Information Commissioner's Office.

See Also: OnDemand | Realities of Choosing a Response Provider

Think W3 Limited was hit with the fine following a December 2012 breach that stemmed from insecure coding on the website of one of its subsidiary businesses, Essential Travel Ltd., the ICO says. A cybercriminal was able to extract more than 1.1 million credit and debit card numbers. Other compromised information included customer names, card expiration dates, addresses, postal codes, mobile and home phone numbers and e-mail addresses, the ICO says.

The records compromised included more than 430,000 card numbers that were current and 733,000 that were expired, the ICO says. The ICO's investigation found that cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the third-party system had been installed.

"Data security should be a top priority for any business that operates online," says Stephen Eckersley, head of enforcement at the ICO. "Think W3 Limited accepted liability for failing to keep their customers' personal data secure, failing to test their security and failing to delete out-of-date information."

View the monetary penalty document here.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.