What's the price for leaking information on more than one million credit cards? For one U.K. travel company, the answer is a £150,000-fine — more than $250,000 — imposed by the Information Commissioner's Office.

According to the ICO, Think W3 Limited violated the country's Data Protection Act after a hacker stole 1,163,996 credit and debit card records, much of the information dating back prior to 2006. While the bulk of the records —733,397 — had expired, the remaining 430,599 were current when the company was hacked in December 2012 through insecure coding of subsidiary Essential Travel Ltd.'s website.

In what the ICO Head of Enforcement Stephen Eckersley referred to in a news release as a “staggering lapse,” the company had not deleted cardholder information since 2006 nor had it reviewed or the checked security of its system since its installation.