Company Data Breaches Lead to £150,000 Fine

March 27, 2015

Company Data Breaches Lead to £150,000 Fine

A company which failed to take adequate steps to secure its website against hackers has been hit with a £150,000 financial penalty after a malicious fraudster managed to download personal data relating to its customers, including more than a million credit and debit card records.

The company acted as data controller for a wholly-owned subsidiary which traded as a booking agent for airport car parking. Although the website was linked to a system used to store large amounts of personal data, it was remotely accessible via a login page to make it easier for staff working from home. The website was for internal use, not ‘customer-facing’, but its login page contained a coding error which rendered it acutely vulnerable.

A hacker found his way past what security there was and extracted a huge volume of personal data, including customer names, addresses, telephone numbers, email addresses and 1,163,996 credit and debit card records. Anti-virus software eventually sounded the alarm and the website was shut down.

In imposing the financial penalty, the Information Commissioner’s Office (ICO) noted that no checks on the website’s security had been carried out, opening the way for the hacker to exploit its vulnerability. The risk created by the failure to install suitable safeguards ‘should have been obvious’ and, although there was no evidence of the hacked data having been used to successfully perpetrate fraud, the security lapse had caused substantial distress to customers.

The company had voluntarily notified the incident to the ICO and had co-operated fully with the investigation. Nevertheless, the penalty was appropriate to mark the company’s ‘very serious’ failure to meet its obligations under the Data Protection Act 1998. The maximum penalty which can be imposed for breaches of the Act is £500,000.