One of the case studies in the 2010 annual report of the Data Protection Commissioner discussed a breach that I had not seen before:
Case study 14: Hacking attack on SelfCatering.ie website
A bank made a data security breach notification to my Office in 2009 in relation to the credit cards of 1200 customers that had been compromised. SelfCatering.ie, an online holiday company, was identified as a common compromise point where all the cards had been used.
We contacted SelfCatering.ie and the Irish Payment Services Organisation (IPSO) to ascertain the full extent of the data security breach. It was determined that the timeframe during which the cards had been compromised was from May 2009 to June 2010. SelfCatering.ie informed us that an investigation had begun which involved a forensic examination of their computer systems. We requested a copy of the forensic examination report immediately on its completion. We also instructed SelfCatering.ie to cease processing personal data via its website until a reputable third party had certified that the website was secure for the processing of all personal data.
We obtained a copy of the forensic examination report for evaluation. It revealed that the website was not properly secured and had been subject to a SQL injection attack. The site did not comply with PCI (Payment Card Industry) security standards as required for handling on-line credit card transactions. The total number of credit cards that had been compromised was 9,500. The report revealed that 50,000 personal contact details held on the website may also have been compromised. It became evident during the course of my investigation that SelfCatering.ie believed that its hosting company was responsible for the security of its website. On that basis, the company had not ensured that the website was properly secured from external attacks through appropriate design and security measures.
We presented SelfCatering.ie with a list of issues to be addressed and a requirement for third party confirmation that these issues had been resolved, with particular emphasis on security measures. At our request, a prominent notice, the terms of which were agreed with our Office, was placed on the home page of the website to inform data subjects of the incident. This notice remained in place for 4 months. Those whose credit card details were affected were contacted directly by the relevant financial institutions.
This case was an example of a data controller using technology that it was unable to properly manage and obtaining personal data that it was unable to appropriately secure. My concern is that such problems are probably more widespread. Organisations intending to collect personal data on-line must take responsibility for ensuring that their websites are appropriately secure before accepting any on-line customers.