DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

SelfCatering.ie hack revealed in report on Ireland’s Data Protection Commissioner [repost]

Posted on June 1, 2011 by Dissent

[repost]

One of the case studies in the 2010 annual report of the Data Protection Commissioner discussed a breach that I had not seen before:

Case study 14: Hacking attack on SelfCatering.ie website

A bank made a data security breach notification to my Office in 2009 in relation to the credit cards of 1200 customers that had been compromised. SelfCatering.ie, an online holiday company, was identified as a common compromise point where all the cards had been used.

We contacted SelfCatering.ie and the Irish Payment Services Organisation (IPSO) to ascertain the full extent of the data security breach. It was determined that the timeframe during which the cards had been compromised was from May 2009 to June 2010. SelfCatering.ie informed us that an investigation had begun which involved a forensic examination of their computer systems. We requested a copy of the forensic examination report immediately on its completion. We also instructed SelfCatering.ie to cease processing personal data via its website until a reputable third party had certified that the website was secure for the processing of all personal data.

We obtained a copy of the forensic examination report for evaluation. It revealed that the website was not properly secured and had been subject to a SQL injection attack. The site did not comply with PCI (Payment Card Industry) security standards as required for handling on-line credit card transactions. The total number of credit cards that had been compromised was 9,500. The report revealed that 50,000 personal contact details held on the website may also have been compromised. It became evident during the course of my investigation that SelfCatering.ie believed that its hosting company was responsible for the security of its website. On that basis, the company had not ensured that the website was properly secured from external attacks through appropriate design and security measures.

We presented SelfCatering.ie with a list of issues to be addressed and a requirement for third party confirmation that these issues had been resolved, with particular emphasis on security measures. At our request, a prominent notice, the terms of which were agreed with our Office, was placed on the home page of the website to inform data subjects of the incident. This notice remained in place for 4 months. Those whose credit card details were affected were contacted directly by the relevant financial institutions.

This case was an example of a data controller using technology that it was unable to properly manage and obtaining personal data that it was unable to appropriately secure. My concern is that such problems are probably more widespread. Organisations intending to collect personal data on-line must take responsibility for ensuring that their websites are appropriately secure before accepting any on-line customers.

Related posts:

  • Madison Square Garden Company Alerts Customers of Payment Card Data Breach
Category: Breach IncidentsBusiness SectorHackNon-U.S.

Post navigation

← Honda Data Breach Triggers Lawsuit [repost]
German DPAs Publish Comprehensive FAQs on Statutory Data Breach Notification Requirement [repost] →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.