UK: ICO fines Staysure after hacked card details used for fraud
There’s an update to a breach reported on this site in January 2014:
An online holiday insurance company has been fined £175,000 by the ICO after IT security failings let hackers access customer records.
More than 5,000 customers had their credit cards used by fraudsters after the attack on Staysure.co.uk.
Attackers potentially had access to over 100,000 live credit card details, as well as customers’ medical details. Credit card security numbers, the number on the signature strips on the back of the cards, were also accessible despite industry rules that they should not be stored at all.
An ICO investigation found the company had breached the Data Protection Act by failing to keep the personal information secure. The company had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software which could have prevented this incident. This left security flaws in the system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.
Steve Eckersley, Head of Enforcement at the ICO, said:
“It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation.”
“The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security.”
SOURCE: Information Commissioner’s Office
Comment: If Mr. Eckersley thinks it’s “unbelievable” that the insurer did not have procedures in place to keep customer information secure, I wonder what he’d think about all the breaches that get reported on this site on a daily basis!