The security of personal information, including customer payment card data and related details, is integral to the functioning of food and drink retailers with an online offering, and there are serious consequences in the event of security breaches. Penalties include formal enforcement action by the Information Commissioner’s Office (“ICO“) and Financial Conduct Authority (“FCA“) fines, as well as damage to customer confidence and brand reputation. There are, in addition, significant implications for merchants under terms with card issuers and card acquirers if their systems are compromised.

The EU Data Protection Regulation, currently in draft form, is expected to bring in “competition style fines” of up to EUR 100 million or up to 5 percent of a business’s annual worldwide turnover for breaches, including security. What follows is a reminder of the potential risks and implications for food and drink businesses, that accept customer payments online, should personal information including cardholder data be compromised.

Background

What happened?

The ICO has served Staysure.co.uk Limited (“Staysure”), a specialist online travel insurer, with a £175,000 monetary penalty notice for a serious breach of the security principle of data protection law. The ICO ruled that the contravention was likely to cause substantial damage or substantial distress and Staysure knew, or ought to have known, of the risk that contravention would occur and would be of that kind.

Staysure’s website was attacked by hackers exploiting the vulnerability of the website’s server. The hackers injected a malicious webpage into the website which created a ‘backdoor’ to the server, allowing the hacker to remotely view and modify the website’s source code and access its backend database where customer data was being stored. The data included customer names, dates of birth, email addresses, postal addresses, phone numbers, payment card numbers, card expiry dates, card CVV numbers, travel details and responses to certain medical questionnaires.

Staysure did not pick this up; in fact its card acquirer, who processes payments made by its customers, reported suspicious activity taking place across customer accounts. It identified that multiple IP addresses had accessed and downloaded customer payment card data from the server and used this for fraudulent transactions. At the time of the attack, 110,096 ‘live’ card details relating to 93,389 customers, were stored on the old backend system and were at risk of fraudulent transactions. 5,000 payment card details were compromised.

How did this happen?

As Staysure had no formal process for reviewing and applying software updates and bug fixes, their server was left exposed to the elements of cyber-fraud.

Retailers should take note. The hackers specifically targeted the payment card data in the database. Staysure had taken steps to encrypt some, but not all cardholder data, from 2008 onwards; the hackers were therefore able to identify the encryption key and use it. In 2012 Staysure had identified that CVV numbers were being held on their servers, they had started to delete and cease storage but the work had not been completed.

Why the penalty?

The fact that CVV data was compromised is significant. These three-digit numbers which are used to authenticate payment transactions facilitated the card fraud. PCI DSS (the payment card information data security standard) was not adhered to and Staysure will have been in breach of its terms with card issuers and card acquirers.

The ICO’s decision to impose a fine and the level of that fine hinged on the aggravating features:

  • Staysure’s weaknesses around CVV numbers enabled the fraudulent activity and this satisfied the requisite “substantial damage or substantial distress” to customers; and
  • Staysure had been warned about the vulnerability of its software, so it “knew or ought to have known” of the relevant risks.

Staysure had also kept the CVV numbers for longer than necessary and this breached the data retention principle of data protection law.

The ICO’s Head of Enforcement, Steve Eckersley, said:

“It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation.”

Summary

Food and drink businesses processing cardholder data online should be alive to the risks associated with customers’ payment card data. The ICO does not tolerate serious security breaches caused by the organisation’s own failures and which expose customers to risk of fraud. Make sure you review your payment card data to identify any gaps and ensure compliance, and supplement the exercise with a privacy impact assessment. More information on the ICO’s ‘privacy by design’ can be found here.

More generally, consider the security of your e-commerce platforms. Look at the data sets you are collecting in connection with the sale of your products and services and implement appropriate security measures, having regard to the state of technological development and the cost of implementing any measures. Also remember that the measures must ensure a level of security appropriate to (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and (b) the nature of the data to be protected.