Online services provider Think W3, the parent of Essential Travel, has been fined £150,000 for a breach of data security.
The fine was imposed by the Information Commissioner’s Office for what was considered to be a “serious breach of the Data Protection Act”.
The breach took place in 2012, when Think W3 was owned by Thomas Cook. It has since been sold to Holiday Extras.
Essential Travel had been using insecure coding on its website and it was hacked in December 2012 leading to the loss of 1,163,996 credit and debit card records.
Of these records 430,599 were identified as current and 733,397 as expired. The ICO found cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed.
Stephen Eckersley, head of enforcement, said: “This was a staggering lapse that left more than a million holidaymakers’ personal details exposed to a malicious hacker.
“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.
“The public’s awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage.”
Thomas Cook said no customers suffered any monetary loss as a result of the data breach which was detected immediately and was related to a legacy system that was not in use in any other part of the Cook business.
Jon Knowles, head of information security at Thomas Cook, told technology news website V3.co.uk: “We take customer data security very seriously and are proud of the exemplary way our teams dealt with this issue to avoid any possible impact on our customers.”
Holiday Extras said Essential Travel’s payments had been migrated on to its own systems since the acquisition in January of this year.