14 DAY TRIAL // The systems of online travel service Think W3 Limited, from the UK, were breached back in 2012, and the hacker made off with a total of 1,163,996 credit and debit card records.
Not all the information was valid though, as 733,397 of the cards had expired, which left the perp with 430,599 records of valid data, highly useful for fraudulent activities.
An announcement regarding the matter, from the Information Commissioner’s Office, says that the sensitive financial information was available on the systems because it had not been deleted since 2006; furthermore, the company had not performed any security checks or reviews since the system had been first installed.
Head of Enforcement, Stephen Eckersley, said that “data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.”
The travel service company was given a monetary penalty of ₤150,000 / $255,000 / €189,000 for breaching the Data Protection Act.
The monetary notice says that Think W3 Limited developed a car parking system that was installed on the same server containing the e-commerce application that stored the stolen details. It appears that the website was publicly available on the Internet.