ICO fines hacked insurance firm £175,000

News by Doug Drinkwater

The Information Commissioner's Office has handed out a £175,000 fine to Staysure.co.uk after the insurance company's data breach last year, which saw an unidentified hacker compromise 5,000 customers and access up to 110,000 live credit card details.  

Following the breach in October, the ICO has investigated the company's IT security practises and found that hackers had potential access to up to 110,000 live credit card details – including the three-digit security numbers (which should not be stored) – as well as customer medical records.

The hackers in question, however, only targeted and downloaded card information. At the time of the breach, the hacked database contained three million customer records.

The watchdog found that the company had breached the 1998 Data Protection Act by failing to keep personal information secure, while it also had no policy or procedures to review and update IT security systems.

In addition, it had twice failed to update (and thus remove flaws in) its database software, which the ICO says would have prevented this incident. As a result, the hackers exploited the flaws relating to the JBoss application server by injecting a malicious JavaScript webpage to create a backdoor onto the company's website. This flaw is said to have remained active for five years.

Staysure.co.uk was also criticised for – prior to June 2008 – storing payment card numbers in plain text, along with expiry dates and CVV numbers. From June that year, the company did start encrypting payment card numbers, although not CVV numbers, while it also failed to properly delete CVV numbers from its database in 2012 due to ‘human error'.

Steve Eckersley, head of enforcement at the ICO, said: “It's unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company's actions were unacceptable and this penalty notice reflects the severity of the situation.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews