A UK-based online travel company known as ‘Think W3’ has been fined £150,000 by the ICO (Information Commissioner’s Office), after a hacker breached its subsidiary business website ‘Essential Travel’ and accessed credit card details.
The hacker was able to retrieve credit card data going back as far as 2006 due to a coding error on the site, and the system was never updated. The ICO report on the case also revealed that the utilized system never underwent any post-building testing, such as security checks or reviews since it was installed.
“The data controller did not subject the web server to appropriate penetration test or internal vulnerability scans and checks, which took place on other servers on the basis that the website and web server were not external facing,” the report revealed.
“However the website (and therefore the associated system and web server) could still be discovered and accessed over the internet by anyone with sufficient technical knowledge.”
The hacker discovered the coding error in the website on December 21 2012, and used an SQL injection to log in to the admin interface, according to the report. The hack was uncovered after three days on Christmas Eve, when Think W3’s data controller performed a routine check on the server, only to display a notification from some anti-virus program installed on the server.
By the time, however, the adversaries had breached 1,163,996 debit card and credit card records, including 733,397 expired datasets and 430,599 current datasets. Though some of the data was encrypted, the same server was hosting the decryption key, which means it could be accessed with ease.
Therefore, the hackers not only got their hands on expiration dates and card numbers, but also customer surnames, names, phone numbers, addresses and emails. The only type of data that they weren’t able to access was CVV numbers.
Head of enforcement Stephen Eckersley called the incident a ‘staggering lapse’ in security and highlighted firms of size and shape that must take the growing issue of data protection seriously. He stated:
“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.”
A week ago, Information Commissioner Christopher Graham stated that the watchdog had to check a record number of investigations and complaints in the financial year that went by. He also warned that ICO was failing in access to funding it requires to continue its vital operations, and demanded more powers to enforce data regulation.
The data protection and privacy watchdog’s annual report also revealed that ICO’s workload has been increasing over the past few years. It also noted the work of the regulatory authority in tackling major issues including the Snowden spying scandal, the NHS care data plans, as well as cases involving major tech giants such as Google and Facebook as proof that it is endeavoring to provide valuable service and safeguard privacy and security of the public.
“We’re effective, efficient and busier than ever. But to do our job properly, to represent people properly, we need stronger powers, more sustainable funding and a clearer guarantee of independence,” stated Graham.
ICO was also forced to admit that it had suffered an internal data breach at its offices, although no precise details of the punishment or the issue were meted out by the regulator.
Thomas Cook Group, the owner of Think W3, said at the time of the incident that the company would clear the fine and claimed that the incident didn’t affect any customer.
“No customers have suffered any loss as a result of the breach which our security systems detected immediately. The Essential Travel [a subsidiary of Think W3] computer system that was breached was a legacy system used by Think W3 Ltd/Essential Travel and is not used by any other part of the Thomas Cook Group.”
Head of Information Security at Thomas Cook Jon Knowles said:
“We take customer data security very seriously and are proud of the exemplary way our teams dealt with this issue to avoid any possible impact on our customers.”
Think W3’s current owners ‘Holiday Extras’ also made a statement to reassure customers that the breach didn’t affect them. CEO of Holiday Extras Matthew Park stated:
“We acquired Essential Travel [a brand of Think W3] on 24 January 2014, at which point all payment processing migrated to the main Holiday Extras system.”
“Security of customer data is one of our top priorities and we continue to invest significantly in this area to ensure customer peace of mind.”