Company targeted by website hacker fined £150,000

A company which failed to take adequate steps to secure its website against hackers has been hit with a £150,000 financial penalty after a malicious fraudster managed to download personal details on its customers, including more than a million credit and debit card records.

The company acted as data controller for a wholly-owned subsidiary which traded as a booking agent for airport car parking. Although the website was linked to a system used to store large amounts of personal data it was remotely accessible via a login page to make it easier for staff working from home. The website was for internal use and not ‘customer-facing’ but its login page contained a coding error which rendered it acutely vulnerable.

A hacker found his way past what security there was and extracted a huge volume of personal data, including customer names, addresses, telephone numbers, email addresses and 1,163,996 credit and debit card records. Anti-virus software eventually sounded the alarm and the website was shut down.

In imposing the financial penalty, the Information Commissioner’s Office (ICO) noted that no checks on the website’s security had been carried out, opening the way for the hacker to exploit its vulnerability. The risk created by the failure to install suitable safeguards ‘should have been obvious’ and, although there was no evidence of the hacked data having been used to successfully perpetrate fraud, the security lapse had caused substantial distress to customers.

The company had voluntarily notified the incident to the ICO and had co-operated fully with the investigation. Nevertheless, the penalty was appropriate to mark the company’s ‘very serious’ failure to meet its obligations under the Data Protection Act 1998. The maximum penalty which could have been imposed was £500,000.

Contact Robert goddard