The ICO has handed online insurance firm Staysure.co.uk a stinging £175,000 fine after chaotic security practices allowed hackers to steal details of 100,000 credit card numbers from the firm's database, several thousand of which experienced fraud.
The ICO's investigation notes read like a case study in the way that an accumulation of smaller mistakes and poor processes can lead over time to major security problems.
The software vulnerability that made the attack possible turned out to be an old one in the JBoss Application Server that had been patched as far back as 2010. Incredibly, the travel firm had no defined process for applying security updates and so this one was missed.
Having broken in, the attackers had access to the entire customer database of three million but targeted a subset of 110,096 live card details they had been able to retrieve the encryption keys for. CVV numbers for these cards had also not been deleted "as a result of human error," meaning that the criminals were now free to attempt to use the cards.
Around 5,000 were subsequently used in fraud and attempted fraud, something only realised when the credit card processor informed the firm of an unusual number of suspect transactions.
The failings were not patching a known software flaw for years, incompetently securing the data in the database and not detecting these errors until it was too late.
"It's unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure," said ICO head of enforcement, Steve Eckersley.
"Keeping personal information secure is a basic legal requirement. The company's actions were unacceptable and this penalty notice reflects the severity of the situation. The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security."
The ICO has become adept at tailoring its fines to the perceived crimes it wants to punish. In this case, the long-term nature of the failings and chaotic management of risk counted against the firm. Fraud was also a direct outcome of poor security.
Only weeks ago it decided against fining shoe firm Office, despite hackers gaining access to a database of a million customers left 'parked' on server.