The Information Commissioner’s Office (ICO) has fined an online travel insurer £175,000 for failing to keep customers’ personal information secure. This amounted to a breach of the seventh data protection principle enshrined in the Data Protection Act 1998.

Attackers gained access, via the firm’s website, to a database containing approximately three million customer records, including over 110,000 live credit card details, as well as customers’ medical details. The compromised credit card details included security numbers, despite industry rules against their storage. Over 5,000 customers had their credit cards used fraudulently as a result.

The attackers had been able to exploit flaws in the firm’s system (some of which had existed for five years) to gain access to customer information.

In particular, the ICO found that the firm:

  • Did not have any adequate IT security policy or procedures in place.
  • As a consequence, had failed to update software which could have prevented the attack.

The ICO regarded these as serious and unacceptable failings, reflected in the level of penalty imposed.

A copy of the monetary penalty notice can be found here: https://ico.org.uk/media/action-weve-taken/mpns/1043368/staysure-monetary-penalty-notice.pdf. The case is a reminder of the responsibilities which insurers have in respect of customer data and the serious consequences which can follow from breach of the relevant obligations. Firms suffering data security breaches are not only at risk of ICO fines but in certain circumstances can also face enforcement action for breach of the FCA’s financial crime requirements. Insurers should accordingly make sure that they are properly advised as to their data protection responsibilities.