The U.K. Information Commissioner’s Office (ICO) has fined the travel company Think W3 Ltd. ?150,000 (approximately $255,000) for a data breach in December 2012, when a vulnerability on the website of Think W3 subsidiary Essential Travel was leveraged to steal 1,163,996 debit and credit card records.
The data stolen included cardholders’ full names, mailing addresses, mobile phone numbers, home phone numbers, email addresses, and credit or debit card account numbers and expiration dates.
Among the records stolen, 430,599 were identified as current and 733,397 were identified as expired.
According to the ICO, Think W3 hadn’t deleted any cardholder records since 2006, and the company hadn’t conducted any security checks or reviews at all since the system had been installed.
“Data security should be a top priority for any business that operates online,” ICO head of enforcement Stephen Eckersley said in a statement. “Think W3 Limited accepted liability for failing to keep their customers’ personal data secure, failing to test their security and failing to delete out-of-date information.”
“Ignorance from data controllers is no excuse,” Eckersley added. “They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage.”
The Telegraph notes that Think W3 and Essential Travel were owned by Thomas Cook until they were sold to Holiday Extras in January of 2014. “As the breach occurred while Think W3 Ltd/Essential Travel was part of the Thomas Cook Group, we will make the payment on behalf of Holiday Extras against this monetary penalty,” a Thomas Cook spokesman told the Telegraph.
“The Essential Travel computer system that was breached was a legacy system used by Think W3 Ltd/Essential Travel and is not used by any other part of the Thomas Cook Group,” the spokesman added.
The ICO recently commissioned a study by SPA Future Thinking on the impact of these financial penalties for data breaches. The research consisted of in-depth phone interviews with 14 organizations that had received such fines, called Civil Monetary Penalties (CMPs), as well as an online survey of 85 peer organizations that had not received CMPs (h/t DataBreaches.net).
“Although the research sample size was relatively small, the results clearly indicate that CMPs have had a positive impact on organizations’ data protection compliance and practice,” the ICO’s report [PDF] states.
The impact of the fines, according to the report, included the following:
- Organizations took their data protection obligations seriously, with revised practices and policies, and incrased staff training.
- Data protection was given a higher profile, with greater senior management buy-in.
- Staff awareness was raised through targeted campaigns, with the importance of handling data properly made more prominent.
Even among organizations that had not received a fine, 58 percent said senior management had taken a greater interest in data protection because of CMPs, 47 percent had reviewed their data protection practices and policies, and 47 percent had introduced more data protection training.