Essential Travel (Think W3) has been served with a £150,000 fine from UK data protection body, the Information Commissioner's Office.
According to an ICO statement, a serious breach of the Data Protection Act meant thousands of people's details were revealed to a 'malicious hacker'.
The statement continues that Essential Travel, owned by Thomas Cook at the time, was hacked in December of 2012 after 'insecure coding' was used on its website.
More than a million customer credit and debit card details were revealed with almost 431,000 identified as current.
The statement says:
"Cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed."
Head of enforcement Stephen Eckersley goes on to say:
"Data security should be a top priority for any business that operates online. Think W3 Limited accepted liability for failing to keep their customers’ personal data secure; failing to test their security and failing to delete out-of-date information."
According to ICO's Monetary Penalty Notice, Essential Travel has until August 21 to pay the penalty which will be reduced to £120,000 if paid by 20 August and the company forfeits its right to an appeal.
The Penalty Notice also states that at the time Essential Travel's data controller acted quickly to lock down the website. It goes on to say that there is no evidence of the personal data being used for fraudulent activity.
Essential Travel, which specialises in holiday add-ons such as airport parking, hotels and insurance, was acquired from Thomas Cook by Holiday Extras in December 2013.
A spokesperson for the ICO confirmed that responsibility for payment lies with Think W3.
A statement from Thomas Cook stresses that the the operator no longer owns Essential but that it will pay the fine:
"As the breach occurred while Think W3 Ltd/Essential Travel was part of the Thomas Cook Group, we will make the payment on behalf of Holiday Extras against this monetary penalty."
David Jones, TigerBay chairman and a cyber security specialist says the travel industry should view the incident as a wake-up call.
"Every company is at risk of attack, even if they don't hold credit card details."
Holiday Extras has meanwhile issued a statement seeking to reassure customers, past and present, that their data is secure.
Earlier this month HotelHippo was taken offline and the ICO has opened an investigation into alleged data protection breaches. A statement online says 'website permanently closed.'
NB: Data protection image via Shutterstock.