UK ICO Fines Hotel Booking Website for Leaking Both PI and Encryption Key

The UK Information Commissioner’s Office (ICO) has warned organizations to protect their websites against one of the most common forms of online attack – known as SQL injection. The warning comes after the hotel booking website, Worldview Limited, was fined £7,500 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers. Further, although the customers’ payment details had been encrypted, the decryption key was stored with the data, allowing the attackers to access the customers’ full card details, including the three digit security code needed to authorize online payments.

Worldview would have received a £75,000 penalty but the ICO was required to consider the impact any penalty would have on the company’s financial situation.

Print Friendly, PDF & Email