The Information Commissioner’s Office (ICO) has fined online travel services company Think W3 Limited £150,000 following a data protection breach arising from insecure “coding” on the website of their subsidiary business Essential Travel Limited.
The travel firm was hacked in December 2012, resulting in a total of 1,163,996 credit and debit card records of customers being extracted. Of those records extracted, 430,599 were identified as current details and 733,397 had expired.
The privacy watchdogs at the ICO stated that “cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed”.
Stephen Eckersley, Head of Enforcement at the ICO, noted that the actions of Think W3 Limited were a “staggering lapse that left more than a million holidaymakers’ sensitive personal details exposed to a malicious hacker.
“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure, failing to test their security and failing to delete out-of-date information.”
The Data Protection Act 1998 obligates organisations not to hold personal data for longer than is necessary and to undertake regular checks to ensure that the data held is up to date and accurate.
If Think W3 Limited had acted in accordance with these obligations, it is likely that the 700,000 plus individuals whose details had expired and any details that were no longer required would not have been on the travel firm’s system at the time of the hacking.
MacRoberts can provide advice on data protection and help your business develop and implement its own data protection procedures including interactive training.
For further information, please contact David Gourlay on 0131 229 5046 or Valerie Surgenor on 0141 303 1100.
© MacRoberts 2014
To register for MacRoberts e-updates on a variety of legal topics, please click here.