View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 25, 2015

Insurer fined £175,000 for ‘unbelievable’ insecurity

ICO reprimands firm for exposing thousands of sensitive records.

By Jimmy Nicholls

The Information Commissioner’s Office (ICO) has fined a travel insurer £175,000 after inadequate security on its website exposed 100,000 live credit cards records to hackers.

The negligence of Staysure.co.uk, which specialises in insuring those over 50, led to more than 5,000 customers being defrauded after an attack on its website, which also exposed medical records and card verification values (CVVs) – even though the latter is not supposed to be stored online.

Steve Eckersley, head of enforcement at the ICO, said: "It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure.

"Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation."

The hacker attacked Staysure.co.uk during October 2013, exploiting a vulnerability in the JBoss application server to insert a malicious JavaScript page onto the site.

This created a backdoor into the server through which the hacker could modify source code and query the website’s database, as well as open a command interface giving privileged access to the operating system.

Payment card details collected before June 2008 were found to have been held in plain text on the site, whilst encryption used to obscure credit card numbers after that date was successfully cracked after the hacker found the keys.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

CVVs were not encrypted at any point, and even though Staysure.co.uk took the decision to delete them in 2012, the process which was not completed due to "human error", according to the ICO. A new payment system was implemented in May of that year, but some CVVs were still being stored online.

Chris McIntosh, chief executive of communications firm ViaSat UK, said: "While the ICO has been issuing monetary penalties since 2012, it seems that for too many organisations the lessons simply aren’t sinking in.

"True IT security means much more than simply putting firewalls and anti-virus in place. It also means ensuring that systems are regularly tested and updated, and that there are no weak links where an attacker can gain access."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU