Thomson data breach: more than 450 holidaymakers’ details exposed

The BBC reports that the personal details of 458 customers of holiday company Thomson were shared in an email sent on 15 August in a “data protection breach”. Holidaymakers’ details included names, addresses, email addresses, telephone numbers and flight details.

Thomson said:

We are aware of an email that was sent in error, which shared a small number of customers’ information.

The error was identified very quickly and the email was recalled, which was successful in a significant number of cases.

We would like to apologise to our customers involved and reassure them that we take data security very seriously.

We are urgently investigating the matter to ensure this situation will not be repeated.

Data Protection Act compliance

The Information Commissioner’s Office (ICO) can issue fines of up to £500,000 for breaches of the Data Protection Act 1998 (DPA).

Principle 7 of the DPA states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data,” but, as the ICO itself notes, ‘There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.’

An information security management system (ISMS), as set out in the international standard ISO 27001, provides such a risk-based approach to information security. Implementing an ISMS enables organisations of all sizes, sectors and locations to mitigate the risks they face with appropriate controls. An ISMS addresses people, processes and technology, providing an enterprise-wide approach to mitigate information security risks with appropriate controls, thereby limiting the inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.

Addressing insider threats

An ISO 27001-compliant ISMS requires staff to be adequately trained, their access rights to be suitably controlled, and a best-practice approach to information security to be adopted throughout the organisation.

If you’re concerned about your organisation’s susceptibility to insider security threats, you need to ensure that everyone in the organisation behaves responsibly. IT Governance’s Information Security Staff Awareness E-learning Course aims to familiarise non-technical staff with information security policies and procedures, thereby reducing the organisation’s susceptibility to attack and limiting the risk wrought by careless or ignorant staff.

Our Information Security & ISO 27001 Staff Awareness E-learning Course enables employees to gain a better understanding of information security risks and compliance requirements in line with ISO 27001, the international information security standard.



  1. Michael Clayton 27th August 2015
    • Neil Ford 27th August 2015
  2. Mandy 11th September 2015
    • Lewis Morgan 11th September 2015