A UK travel company, Think W3 Limited, has been fined £150,000 by the Information Commissioner’s Office (ICO) for leaking more than 1,000,000 credit card records.
A customer database was designed for ‘Internal Use’ but published on the main server with an authentication page and “secret URL”. However, it didn’t take long for hackers to realise that they could gain access to the database without logging in. From here, the hackers gained access to the database administration console, and since the car park application was on the same server as the main e-commerce site, they could access all the data in it.
The hacker extracted a total of 1,163,996 credit and debit card records. Card holder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed.