Who: UK Information Commissioners Office (“ICO”) and Staysure.co.uk Ltd (“Staysure”)
When: 20 February 2015
Law stated as at: 5 March 2015
Staysure, an online holiday insurance company, has been fined £175,000 by the ICO after hackers were able to access approximately three million customer records due to IT security failures.
The hack was discovered when Staysure was notified by its card acquirer of suspicious activity on customer accounts. The records potentially exposed included: over 100,000 live credit card details; medical records; and CVV numbers (the security number above the signature strip on a card), which should not be stored, according to standards set by the Payment Card Industry Security Standards Council.
This was the shown potential exposure, but the ICO’s investigation suggested that in reality only payment card data was targeted and downloaded. Having said this, more than 5,000 customers had their credit cards used by the hackers after the attack.
The ICO’s investigation also found that Staysure did not have any policies or procedures for reviewing and updating their IT security systems. Staysure had also failed to update their software twice, which left security gaps, some of which were left open for five years. The attack could have been avoided, the ICO found, if the software had been updated.
The ICO concluded that Staysure had breached the seventh principle of the Data Protection Act 1998 (the “DPA”): “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The Head of Enforcement at the ICO said:
“It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation.”
Why this matters:
The Head of Enforcement at the ICO warned that the fine “should send a clear message to other companies of the importance of proper IT security,” and it is clear that the decision illustrates the importance of regularly reviewing and updating IT security systems.
The case also serves as a reminder that companies dealing with payment card details must remember to comply with not only the DPA, but also the “PCIDSS”, the strict data security standard set by the Payment Card Industry Security Standards Council.