UK independent regulatory body, the Information Commissioner’s Office (ICO), has slapped an online travel services publisher with a £150,000 fine.

Think W3, a subsidiary of Essential Travel, was in breach of the Data Protection Act after exposing more than one million customer records to a malicious hacker in December 2012, who took advantage of insecure coding on its website.

The ICO reports that the hacker managed to get hold of 1,163,996 credit and debit card records, of which 430,599 have been identified as current and 733,397 have since expired.

A “staggering lapse”

Essential Travel is said to have failed to delete any cardholder details since 2006. There had also been no security checks or reviews since the system was originally installed, which the ICO’s head of enforcement Stephen Eckersley was completely taken aback by.

“This was a staggering lapse that left more than a million holiday makers’ sensitive personal details exposed to a malicious hacker,” Eckersley said.

“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.

Change in ownership

At the time of the breach online travel agent Thomas Cook owned Essential Travel and Think W3, but in December 2013 both companies were sold to UK-based hotel booking website Holiday Extras.

In a statement released to PerformanceIN, Thomas Cook revealed it had paid the ICO penalty on behalf of Holiday Extras as Think W3 and Essential Travel were part of the group at the time.

Thomas Cook insists that no customers suffered financial losses as a result of the breach and it occurred on a legacy system used exclusively by Think W3 and Essential Travel, not any other part of the group.