Hackers swipe payment card data on more than 1M UK travel service firm clients

Security lapses at Think W3 allowed intruders to gain access to the website of subsidiary Essential Travel.

“Insecure coding” on the site let them extract more than a million credit and debit records, of which around 430,000 were current and 733,000 were expired, the Information Commissioner’s Office stated. This ICO notice details the coding defects. 

ICO head of enforcement Stephen Eckersley said: “Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.”

Cardholder details had not been deleted since 2006 and there had been no security checks since the system had been installed.