 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
Irish Data Protection Commission Case Studies |
||
|
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Case study 14: Hacking attack on SelfCatering [2010] IEDPC 14 (2010) URL: http://www.bailii.org/ie/cases/IEDPC/2010/[2010]_IEDPC_14.html Cite as: [2010] IEDPC 14 |
||
[New search] [Printable RTF version] [Help]
A bank made a data security breach notification to my Office in 2009 in relation to the credit cards of 1200 customers that had been compromised. Company X, an on-line holiday company, was identified as a common compromise point where all the cards had been used.
We contacted Company X and the Irish Payment Services Organisation (IPSO) to ascertain the full extent of the data security breach. It was determined that the timeframe during which the cards had been compromised was from May 2009 to June 2010. The company informed us that an investigation had begun which involved a forensic examination of their computer systems. We requested a copy of the forensic examination report immediately on its completion. We also instructed the company to cease processing personal data via its website until a reputable third party had certified that the website was secure for the processing of all personal data.
We obtained a copy of the forensic examination report for evaluation. It revealed that the website was not properly secured and had been subject to a SQL injection attack. The site did not comply with PCI (Payment Card Industry) security standards as required for handling on-line credit card transactions. The total number of credit cards that had been compromised was 9,500. The report revealed that 50,000 personal contact details held on the website may also have been compromised. It became evident during the course of my investigation that Company X believed that its hosting company was responsible for the security of its website. On that basis, the company had not ensured that the website was properly secured from external attacks through appropriate design and security measures.
We presented the company with a list of issues to be addressed and a requirement for third party confirmation that these issues had been resolved, with particular emphasis on security measures. At our request, a prominent notice, the terms of which were agreed with our Office, was placed on the home page of the website to inform data subjects of the incident. This notice remained in place for 4 months. Those whose credit card details were affected were contacted directly by the relevant financial institutions.
This case was an example of a data controller using technology that it was unable to properly manage and obtaining personal data that it was unable to appropriately secure. My concern is that such problems are probably more widespread. Organisations intending to collect personal data on-line must take responsibility for ensuring that their websites are appropriately secure before accepting any on-line customers.