ICO fines online travel services firm £150,000 over exposed personal data

The Information Commissioner's Office (ICO) has fined an online travel services company £150,000 over a serious breach of the Data Protection Act (DPA).

The company, Think W3 Limited, has been penalised for having poor security on one of its websites, which exposed over a million credit and debit card details to a malicious hacker.

Think W3 was hacked in December 2012 through the website of its subsidiary business, Essential Travel Ltd. The hacker was able to extract 1,163,996 credit and debit card records through the website, of which 430,599 were current details. The majority, 733,397, had expired.

The ICO found that card details had not been deleted since 2006, and that there had been no security checks or reviews since the system was initially installed.

Stephen Eckersley, head of enforcement at the ICO, said: "This was a staggering lapse that left more than a million holiday makers' sensitive personal details exposed to a malicious hacker.

"Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers' personal data secure; failing to test their security and failing to delete out-of-date information."

He added: "The public's awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage."