The travel insurance company Staysure has confirmed that customer names and addresses have been stolen, as well as card payment details, from customers who took out insurance prior to May 2012. The payment details included the CVV – the three-digit number on the back of a card which is required to make a purchase.
The attack was carried out back in October last year, and the company was slow to react; it only became aware of the problem on 14th November and first informed customers another month later.
The Financial Conduct Authority, the Information Commissioner's Office and the Police have all since been informed of the data breach, while Staysure says that it stopped holding these personal details from May of last year.
“We immediately hired independent forensic data experts to fully ascertain the extent of the problem and have written to 93,389 affected customers, which represents fewer than seven percent of our customer base, to warn them and ask them to check that they have not been the victims of any fraud as a result,” said Staysure CEO Ryan Howsam, in a letter to customers.
To compensate affected customers, Staysure is offering free access to Data Patrol, an identity fraud monitoring service from Experian.
Reacting to the news, two senior IT security professionals said that it is up to businesses to take the correct precautions to guard against the growing cyber threat, by doing things such as encrypting data and adhering to the latest PCI standards.
"In this specific attack, it's surprising that the company took such a long time to disclose the data breach to its customers," Jason Hart, VP of cloud solutions at SafeNet, told SCMagazineUK.com.
"As the card details of Staysure's 93,000 customers were encrypted, the attackers will have been unable to access the data. If you encrypt the sensitive data, then breaches matter less because it renders any data useless to an unauthorised party, so the company could have minimised any reputational damage by reporting the breach and full facts sooner.
"A perfect example is Target. They reported the breach but also indicated that PIN information was encrypted – and hence the impact of the breach was immediately reduced."
Paul Ayers, VP EMEA at enterprise data security firm Vormetric, also criticised Staysure for the delay and, while urging the firm to embrace encryption and the latest PCI DSS standards, warned that hackers are getting better at what they do.
“The fact that some organisations are still storing and handling unencrypted sensitive data during this challenging time for IT security is tempting fate,” Ayers told SCMagazineUK.com. “Standards such as the recently updated PCI DSS – which coincidently prohibits the storing of CVV numbers – offer some protection to customers by penalising businesses that fail to comply.
“However, hackers are getting better at what they do, and as a result, we have reached a point where data breaches are inevitable. Today's businesses must not only understand this, but also take measures to minimise the financial and reputational damage of such an event.”