back to article Who has your credit card data? 1 million HOLIDAY-MAKERS' RECORDS exposed

A UK-based online travel firm has been fined £150,000 over a breach of breach of the Data Protection Act after their "insecure" coding reportedly exposed more than a million customer records to cybercrooks. Think W3 Limited was hacked in December 2012 in an attack that relied on what the ICO described as "insecure" coding on …

  1. Anonymous Coward
    Anonymous Coward

    ICO ?

    Isn't this more in the realms of the FCA(FSA), under PCI-DSS regulations ?

    1. Stretch

      Re: ICO ?

      PCI isn't a regulation or from the FSA. Its an industry "standard" designed to allow transfer of blame away from the card providers.

    2. Thomas Whipp

      Re: ICO ?

      Oh god I've got my compliance geek on here:

      a) FCA/PRA (who replaced the FSA) would not have jurisdiction over a travel agent as they are financial services regulators - with the exception that the FCA might have jurisdiction in relation to a credit licence, but that wouldn't be relevant in this case.

      b) as others have said, PCI-DSS is a card scheme standard so any fines for non-compliance with that would typically be issued via the merchants acquiring bank.

      c) and this actually bugs me a *LOT*, under the DPA financial records are not considered sensitive personal data (this designation being reserved for medical history, political affiliations, union membership and sexual orientation) - as a release from the ICO they really shouldn't be using that phrase incorrectly.

      d) I also find it slightly odd that the FCA state that there was no fraud as a result, that would be extremely hard demonstrate and from what I understand it tends to be done by statistical analysis at the card issuers/schemes to identify spikes in fraud where clusters of card numbers all made purchases via a particular merchant within a particular window. The fact that nobody might have felt sure enough to state that there was fraud to the ICO has almost no value here.

      </geek>

  2. Warm Braw

    Travel companies are a security nightmare

    The card companies have extended a lot of leeway to travel companies which in many cases have systems that would get other businesses shut down for non compliance. It's even worse with business travel where complete card details (including faxable images of both sides of the card) are often kept in the clear to enable a travel management company to make bookings on behalf of companies or individual staff. Credit card numbers in the clear are often the only common reference that allows an agent to match a client booking with the carrier receipt and hence they're widely exchanged outside of the actual payment.

    Sloppy security is the norm rather than the exception and it pervades the business sector as a whole. It's almost impossible for any intermediary business to operate in a wholly PCI-compliant fashion.

  3. Tanuki
    Thumb Down

    I'm continually narked by travel-companies who seem to want a whole slew of irrelevant data about you (name, address, date-of-birth, height, weight, brother's inside-leg measurement, pet's star-sign and the colour of the last car you bought) before they will even *try* to give you a price for a flight/ticket/holiday.

    [I've taken to giving them the cat's name, age, inside-leg measurement and height/weight just to confuse them]

    1. Anonymous Coward
      Anonymous Coward

      Yes, but I see on our records that you actually LIED about your cat's age.

  4. btrower

    Who is responsible here?

    Re:"Data security should be a top priority for any business that operates online."

    Well, maybe they can find whoever is responsible for weakening security across the board and sue them for the funds to fix it.

    Securing things like this falls into 'plausible deniability', rather than actual security. The only reason that the banking system has not been disrupted by now is that (last I worked in banks anyway), the online systems are not actually connected to the Internet in a way that can affect the upstream banking system. I have a horrible feeling that, as the old guard who kept the glass house locked down leaves, these systems will be exposed by people who don't have a suitable level of paranoia.

    You have to wonder how they expect the IOT to work without killing people.

  5. Mayhem

    Interesting

    Ahh, so that's what happened.

    I actually used Essential Travel for the past five years, found them a good and reliable inexpensive travel insurance provider for a worldwide multitrip policy.

    And they no longer exist, as of some time in the past year - I was unable to renew my policy in January as the new company simply didn't support anything other than package holiday cover.

    I wonder if the previous lot got flattened in an acquisition, and the underlying setup was so bad it was safer to start afresh. Certainly the old website was terrible, both to use, and from a coding viewpoint. And as demonstrated here.

  6. CaptainBanjax

    who cares...

    Who cares who is specifically responsible. The company operating the website got fined. It is now an internal problem for them. Public hangings went out ages ago.

    What is important is not just the law breaking hacker is going to get strung out, the company RESPONSIBLE got a kick in the bollocks.

    Finally.

  7. Anonymous Coward
    FAIL

    Eh

    Since 2006? That reminds me a colleague of mine who loves to use one of the production AS400 to test code...but sometimes he gets his punishment, like spending a whole weekend reverting the results of his stupidity :D

  8. ecofeco Silver badge

    Ah the Internet of things!

    Oh wait, wrong article.

    Because the Internet of things won't possibly make stealing my information easier, now could it?

  9. Anonymous Coward
    Big Brother

    Commercial transactions on the Internet

    How about designing on an online commercial system that don't rely on credit cards for transactions. After all once the cybercrooks have your numbers then they effectively are you.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like