ICO penalty after one million credit card details extracted from vulnerable website

The Information Commissioner’s Office (ICO) has served a monetary penalty notice (MPN) of £150,000 on online travel company Think W3 Ltd.

MPNs (sometimes wrongly described as “fines” *cough* http://ico.org.uk/enforcement/fines) are civil penalties which can be served by the ICO where it has determined that the data controller in question has contravened the Data Protection Act 1998 and the contravention was: serious, of a kind likely to cause substantial damage or substantial distress and the data controller knew or ought to have known that there was a risk the contravention would occur but failed to take steps to prevent it. The ICO classed this contravention as very serious.

The website of Essential Travel Ltd, a subsidiary and trading brand of Think W3, was subject to a major attack under which more than 1 million credit card records were extracted. The attack was the result of an SQL injection enabled by a coding error on a login page which (for the facilitation of home-working) was publicly available over the internet. It appears that the coding error, and the lack of suitable checks since, meant the site had been vulnerable since early 2006 until December 2012 (when the attack happened).

The fact that the MPN was at the lower end of the scale available is probably because of the need (laid out in guidance) for the ICO to consider the data controller’s financial ability to pay a penalty. What I find interesting here is that Think W3 Ltd were a company wholly owned by Thomas Cook Group, who acquired 100% of it in 2010 until January this year. Company law normally provides that liability of a company within a group attaches to that company alone, so the assets of the Group were not available to be taken into account by the ICO, but, given that the seventh data protection principle was already being contravened, in a very serious manner, at the time of the 2010 aquisition, some questions might now be asked of those in charge at the time. And it is noteworthy that Thomas Cook appear to be prepared to pay the penalty, rather than new owners Holiday Extras.