The security of personal information, including insured customer details, is integral to the proper functioning of the insurance industry and there are serious consequences in the event of security breaches.  Penalties include formal enforcement action by the Information Commissioner’s Office (“ICO”) and FCA fines (as relevant), as well as damage to customer confidence/reputation. 

The EU Data Protection Regulation, currently in draft form, is expected to bring in “competition style fines” of up to EUR 100 million or of up to 5 percent of annual worldwide turnover for breaches including around security. 

This article will serve as a reminder of the potential risks and implications should personal information be compromised.    

Background

The ICO has served Staysure.co.uk Limited (“Staysure”), a specialist online travel insurer, with a £175,000 monetary penalty notice for a serious breach of the security principle of data protection law. The ICO ruled that the contravention was likely to cause substantial damage or substantial distress to customers and Staysure knew, or ought to have known, of the risk that this contravention would occur and would be of this kind.

What happened?

The Staysure website was attacked by hackers exploiting the vulnerability of the website’s server.  The hackers injected a malicious webpage into the website which created a ‘backdoor’ to the server, consequently allowing the hacker to remotely view and modify the website’s source code and access its backend database where customer data was being stored – including names, dates of birth, email addresses, postal addresses, phone numbers, payment card numbers, card expiry dates, card CVV numbers, travel details and responses to certain medical questionnaires. 

Staysure itself did not pick this up, rather its card acquirer, who processes payments made by its customers, reported suspicious activity taking place across customer accounts.  It identified that multiple IP addresses had accessed and downloaded customer payment card data from the server and used this for fraudulent transactions.  At the time of the attack, 110,096 ‘live’ card details, relating to 93,389 customers, were stored on the old backend system and were at risk of fraudulent transactions.  5,000 payment card details were actually compromised.    

How did this happen?  

As Staysure had no formal process for reviewing and applying software updates and bug fixes, their server was left exposed to the elements of cyber-fraud.

The hackers specifically targeted the payment card data in the database.  Although Staysure had taken steps to encrypt some, but not all, cardholder data from 2008 onwards, the hackers were able to identify the encryption key and use it.  In 2012 Staysure had identified that CVV numbers were being held on their servers and, although they had started to delete and cease storage,, that work was not completed. 

Why the penalty?

The fact that CVV data was compromised is significant.  These three-digit numbers, which are are used to authenticate payment transactions, facilitated the card fraud.  PCI DSS (the payment card information data security standard) was not adhered to and the likelihood is that Staysure will have been in breach of its terms with card issuers and card acquirers. 

The ICO’s decision to impose a fine and the level of that fine hinged on the aggravating features:

  • Staysure’s weaknesses around CVV numbers enabled the fraudulent activity and this satisfied the requisite “substantial damage or substantial distress” to customers; and
  • Staysure had been warned about the vulnerability of its software, so it “knew or ought to have known” of the relevant risks.

Staysure had also kept the CVV numbers for longer than necessary and this breached the data retention principle of data protection law.

The ICO’s Head of Enforcement, Steve Eckersley said:

It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation.

Summary

Organisations processing cardholder data – take note!  The ICO does not tolerate serious security breaches caused by the organisation’s own failures and which expose individuals to risk of fraud.  Make sure you review your payment card data to identify any gaps and ensure compliance, and supplement the exercise with a privacy impact assessment. For more information on the ICO's 'privacy by design' approach please visit their website.

More generally, consider the security of your e-commerce platforms.  Look at the data sets you are collecting in connection with the sale of your products and services and implement appropriate security measures, having regard to the state of technological development and the cost of implementing any measures. Also take note  that the measures must ensure a level of security appropriate to (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and (b) the nature of the data to be protected.