UK Information Commissioner serves monetary penalty notice on Think W3 Limited for serious privacy breaches
July 27, 2014 |
On 24 July 2014 the Information Commissioner’s Office in the United Kingdom (the ICO) served on Think W3 a very substantial monetary penalty notice, of £150,000 after determining that personal details involving 1,163,996 credit and debit card records were accessed.
The ICO media notice provides:
Think W3 Limited, an online travel services company, has been served a £150,000 monetary penalty after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.
The company was hacked in December 2012 after using insecure coding on the website of a subsidiary business, Essential Travel Ltd. The hacker extracted a total of 1,163,996 credit and debit card records. Of these records 430,599 were identified as current and 733,397 as expired.
Cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed.
Stephen Eckersley, Head of Enforcement, said:
“This was a staggering lapse that left more than a million holiday makers’ personal details exposed to a malicious hacker.
“Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information.
“The public’s awareness of the importance of data protection is rising all the time. Ignorance from data controllers is no excuse. They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage.”
The Monetary Penalty Notice relevantly provides:
TW3 is the data controller in respect of the personal data collected from customers of its wholly owned subsidiary and trading brand, Essential Travel Ltd (“ETL“). ETL acts as a booking agent for airport car parking, travel insurance, and other travel-related services that are made available online.
In early 2006 the data controller internally developed a car parking system for ETL to maintain car park rates and availability.The system was for internal purposes only and was installed on the same webserver which contained ETL’s main e-commerce application used to store customer personal data. In order to facilitate home working this system could be accessed via a login page on anon-customer facing website which was publicly available over the internet.
Unfortunately the website login page coding was not secure as it contained a coding error in the authentication scripts of the administrative interface. The data controller conducted functionality tests when the system was implemented but did not carry out security checks and reviews on the system and website coding at the time of implementation, or subsequently. The login page for the website was therefore vulnerable since the system was implemented in early 2006.
The data controller did not subject the web server to appropriate penetration tests or internal vulnerability scans and checks which took place on other servers on the basis that the website and web server were not external facing. However the website (and therefore associated system and web server) could still be discovered and accessed over the internet by anyone with sufficient technical knowledge.
On 21 December 2012 an attacker targeted the website and associated system. The coding error on the website login page enabled the attacker to by pass the authentication process for logging into the system using Structured Query Language injection, and log in to the website’s administrative interface.
Having exploited this vulnerability the attacker then proceeded to upload malicious web shells onto the connected web server which gave the attacker administrative access to all of the data held on the web server. These allowed the attacker to access and modify files within ETL’s virtual network, including data within the e-commerce application which contained the ETL’s customer data base and files used to process payment cards.
Evidence obtained as a result of the data controller’s own internal investigation suggests that the attacker then created a custom file that would query the customer database to extract and decrypt stored cardholder data (both active and expired cards) using the decryption key which was not stored securely on the webserver. The attacker targeted credit and debit card primary account numbers, expiry dates, CVV values and account user names and surnames. Fortunately CVV values were not stored on the database. However following successful extraction of the available data the attacker then extracted other customer details relating to each card, specifically: customer name, address, postcode, mobile and home phone numbers, and email address.
The attacker extracted a total of 1,163,996 credit and debit card records, of which 430,599 were identified as current and 733,397 as expired. Card holder data had not been deleted from the server since 2006. The data controller discovered the breach insecurity on 24 December 2012 during a routine server check which revealed a notification from the anti virus software installed on the server. This resulted in the data controller taking prompt remedial action to lock down the relevant website, systems and web server in order to prevent any further disclosure of data.
………..
In particular, the data controller failed to take appropriate technical measures against the unauthorised or unlawful processing of personal data by failing to:
- Properly understand the extent to which the web server could be accessed via the internet. This led to the data controller deliberately excluding the web server from penetration and vulnerability tests which were carried out on ‘external-facing’ servers,
- Properly test/check/ review the security of the coding of the website at the time of, and following, the website’s implementation in 2006,
- Implement a suitable intrusion detection system for the website and server,
- Implement suitable file-integrity monitoring software,
- Implement a suitable encryption key-management process,
- Implement a suitable security policy addressing technical security issues,
- Patch software when updates were available,
- Update anti-virus software properly on some desktop systems,
- Fully comply with the requirements of the Payment Card Industry – Data Security Standard.
The contravention is serious because the measures taken by the data controller did not ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing, and the nature and volume of the date to be protected.
………..
Aggravating features the Commissioner has taken into account in determining the amount of a monetary penalty
Impact on the data controller
- Data controller is a limited company so liability to pay a monetary penalty will not fall on any individual.
- Data controller has access to sufficient financial resources to pay a monetary penalty up to the maximum without causing undue financial hardship.
Mitigating features the Commissioner has taken into account in determining the amount of the monetary penalty
Information Commissioner’s Office
Nature of the contravention
- The data controller’s systems were subjected to a criminal attack.
- No previous similar security breach that the Commissioner is aware of.
Effect of the contravention
- No evidence or confirmation has been received that the personal data has been used for fraudulent transactions.
Behavioural issues
- Voluntarily reported to Commissioner’s office
- The data controller has been co-operative with the Commissioner’s office.
- The data controller promptly locked down the website and associated systems when the breach was discovered and escalated the matter quickly despite the timing of the incident.
- On discovering the incident the data controller quickly decommissioned the website and associated system which had been replaced by a new system on 19 December 2012. The website and system had originally been due to be decommissioned in January 2013.
- The data controller had been in the process of a tokenisation program to improve data security. In light of this incident the data controller fast-tracked the implementation of the token based system for the remaining products that had not yet been transferred to the new system.
Impact on the data controller
- Significant impact on reputation of data controller as a result of this security breach.
Other considerations
The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the Act and this is an opportunity to reinforce the need for data controllers to ensure that appropriate and effective security measures are applied to personal data stored on their information technology systems
Notice of Intent
A notice of intent was served on the data controller dated 2 June 2014. The Commissioner has not received any representations from the data controller in response to the notice of intent. In the circumstances, the Commissioner has now taken the following steps:
- reconsidered the amount of the monetary penalty generally, and whether it is a reasonable and proportionate means of achieving the objective which the Commissioner seeks to achieve by this imposition;
- ensured that the monetary penalty is within the prescribed limit of £500,000 ; and
- ensured that the Commissioner is not, by imposing a monetary penalty, acting inconsistently with any of his statutory or public law duties and that a monetary penalty notice will not impose undue financial hardship on an otherwise responsible data controller.
Amount of the monetary penalty
The Commissioner considers that the contravention of the seventh data protection principle is very serious and that the imposition of a monetary penalty is appropriate. Further that a monetary penalty in the sum of £150,000 (One hundred and fifty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty.
In reaching this decision, the Commissioner considered other cases of a similar nature in which a monetary penalty had been imposed, and the facts and aggravating and mitigating features referred to above.
It is a very significant penalty by ICO standards. It is however a particularly egregious breach. While there is no evidence of fraudulent transactions occurring as a result of the breach the hacker was able to extract considerable information in addition to credit card details including customer name, address, postcode, mobile and phone numbers and email address. It did not help Think W3 Limited that it had not been deleting data since 2006, very poor data handling practices not to mention a breach of the Act. As ICO made clear Think W3 Limited failed to take appropriate technical measures that would have averted the breach. It is very useful for the ICO to provide such detailed analysis of what was not done, what should have been done and the consequences of the failure. It provides a concrete basis for organisations to take practical heed and check their own systems.
The contrast of the ICO in dealing with significant data breaches and the Privacy Commissioner’s approach is stark. That may be because until March the Privacy Commissioner’s enforcement options have been limited. The test will be what the Privacy Commissioner does in relation to a breach after 12 March 2014. The ICO and FTC take quite strong actions against malefactors, which is not to say their offices are not subject to criticisms for being too lenient. But from an Australian perspective they are, currently, assertive and aggressive.
[…] UK Information Commissioner serves monetary penalty notice on Think W3 Limited for serious privacy b… […]