UK DPA Fines Travel Services Company Following Theft of Card Data

The UK Information Commissioner’s Office has fined travel services company Think W3 Limited £150,000 after credit and debit card details of more than 1 million customers were stolen by a hacker. The ICO found that the system that the cardholder details were held on was not secure. The company had conducted functionality tests when the system was introduced but did not carry out security checks or reviews of the system at the time or subsequently. In a press release the ICO Head of Enforcement, Stephen Eckersley, said “This was a staggering lapse that left more than a million holiday makers’ personal details exposed to a malicious hacker… Data security should be a top priority for any business that operates online… Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage.”

TIP: This case demonstrates that even outside of the US (where these kinds of cases have been more frequent), privacy regulators are examining whether companies’ security measures were sufficient in the wake of cyber-attacks. The case is thus a reminder to ensure that data is provided with appropriate security measures.