The Information Commissioner’s Office (ICO) has fined a travel insurer £175,000 after inadequate security on its website exposed 100,000 live credit cards records to hackers.
The negligence of Staysure.co.uk, which specialises in insuring those over 50, led to more than 5,000 customers being defrauded after an attack on its website, which also exposed medical records and card verification values (CVVs) – even though the latter is not supposed to be stored online.
Steve Eckersley, head of enforcement at the ICO, said: "It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure.
"Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation."
The hacker attacked Staysure.co.uk during October 2013, exploiting a vulnerability in the JBoss application server to insert a malicious JavaScript page onto the site.
This created a backdoor into the server through which the hacker could modify source code and query the website’s database, as well as open a command interface giving privileged access to the operating system.
Payment card details collected before June 2008 were found to have been held in plain text on the site, whilst encryption used to obscure credit card numbers after that date was successfully cracked after the hacker found the keys.
CVVs were not encrypted at any point, and even though Staysure.co.uk took the decision to delete them in 2012, the process which was not completed due to "human error", according to the ICO. A new payment system was implemented in May of that year, but some CVVs were still being stored online.
Chris McIntosh, chief executive of communications firm ViaSat UK, said: "While the ICO has been issuing monetary penalties since 2012, it seems that for too many organisations the lessons simply aren’t sinking in.
"True IT security means much more than simply putting firewalls and anti-virus in place. It also means ensuring that systems are regularly tested and updated, and that there are no weak links where an attacker can gain access."
