The Information Commissioners Office (the “ICO”) has fined Staysure.co.uk Limited (“Staysure”), an online travel insurance company, £175,000 for its failure to comply with the seventh data protection principle, after IT security failings allowed hackers to access up to 100,000 customer financial records. This attack resulted in over 5,000 customers having their credit cards used by fraudsters.

Facts

Staysure's website was targeted by hackers who were exploiting a known vulnerability in the Application Server that Staysure used. The vulnerability was first identified in 2010 and a software fix was published. A further software update was published in 2013 to fix a subsequent vulnerability. However, Staysure did not have formal processes in place to review and install software updates and in both cases failed to implement the required updates. This allowed hackers to access its system in October 2013.

At the time of the attack, Staysure's system contained approximately three million customer records, including personal information such as customer name, date of birth, postal address, payment card details (including card number, expiry date and CVV numbers) and medical screening data. Although the security of all of this information was at risk, the ICO believe that only payment card data was targeted.

The hackers potentially had access to over 110,000 live card details relating to a total of over 93,000 customers however only 5,000 customers card details were used in fraudulent transactions by the hackers. The hackers exploited the vulnerability in Staysure's IT systems by injecting malicious malware into the website. This enabled the hackers to access Staysure's entire system allowing them to decrypt customer payment card details and access CVV numbers. The ICO found that Staysure had failed to put in place adequate policies and systems for checking, reviewing and applying software security updates and drew particular attention to the wrongful storing of CVV numbers on its database in breach of the Payment Card Industry Data Security Standard.

The Head of Enforcement at the ICO commented: “The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security”.

The press release by the ICO is here. The full ICO notice can be found here.