Lancaster-based apartment booking company Worldview Limited has been fined under the Data Protection Act for allowing unauthorised access to customers' details. The company operates under two UK brands, Citybase Apartments and Central London Apartments.
Although customers' payment details had been encrypted, the means to decrypt the information - known as the decryption key - was stored with the data.
The Information Commissioner's Office (ICO) press release states that a SQL injection vulnerability that existed for 3 years was the root cause, so this might imply the the decryption key was either stored in the database or the database could be used to read the key from elsewhere, such as the file system. The information taken included 3,814 payment card details; this mentions that both primary account numbers (PANs) and three digit security codes were accessed, which is even more interesting. The terms and conditions (Citybase, Central London) state:
Your payment card details will be securely held for the purpose of processing the booking until the day of check in. On the day of check-in, the credit card details are removed from our systems.
That's the travel industry problem of stored card data.
Apparently the fine would have been £75,000 but this may have put the company out of business. However, I suspect the fact that Worldview Limited will also be paying forensic investigation charges, card re-issue fees, card monitoring fees and fines relating to their PCI DSS contractual obligations will also have been taken into account by the ICO. However, £7,500 is a lot less than Worldview should be spending to ensure their customer data is secure. The fine is reduced further to £6,000 if payment is made by 1st December 2014.
When you submit your card details the information is encrypted (scrambled) so that it can only be read by the secure server, making the transaction as secure as possible.
When Lush Cosmetics had an ecommerce incident in 2010-11 with a similar number of cards and other personal data compromised, there was no fine — just an undertaking (and of course the PCI DSS costs). I suspect this stronger response from the ICO reflects its view that SQL injection is a basic fault that is below any acceptable level of security.
Update 7th November 2014: Link to monetary penalty notice and details of early payment discount added.
Posted on: 07 November 2014 at 08:59 hrs