Halkyn Security Blog
Specialist Security & Risk Management Consultants

Staysure security breach leads to ICO Fine

The Information Commissioner’s Office announced on 24 Feb 2015 that it had levied a monetary penalty of £175,000 against the holiday insurance company Staysure. The fine came about as a result of Staysure suffering a security breach on their website which exposed more than 100,000 customer records and led to more than 5,000 customers having their credit cards used by fraudsters.

What is really surprising about the ICO investigation – and almost certainly led to the fairly large fine for a private sector body – is the discovery that Staysure had some very serious security failings.

The ICO reported that:

Attackers potentially had access to over 100,000 live credit card details, as well as customers’ medical details. Credit card security numbers, the number on the signature strips on the back of the cards, were also accessible despite industry rules that they should not be stored at all.

The important bit is the last sentence. Staysure have massively failed to comply with the PCI-DSS guidelines and by retaining this data have exposed their customers to monumental risks.

This is bad practice and any security professional would advise against it. In fact it is hard to see how this can be done while still complying with any of Staysure’s IT security policies, until you read further on in the announcement:

The company had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software which could have prevented this incident. This left security flaws in the system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.

So, it seems that despite providing an insurance product, in a heavily regulated industry and handling large amounts of very sensitive personal and financial data for their customers, Staysure failed to implement some basic security controls.

Staysure has been in business for ten years and has been exploited for at least five of them.

Staysure insurance fined for failing to have any security policies.

Staysure insurance fined for failing to have any security policies.

It is hard to know what the impact to Staysure’s business will be as a result of this breach. It may be minor – beyond the fine- but for any company dealing with customer data this is a massive risk to have carried for so long.

Similar posts
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • North Wales Cyber Security Cluster &#... The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]
  • 3 essential elements of any Infosec f... As the news often shows, Information Security (infosec) is a big part of any organisation. From the small business with just a couple of computers to the global enterprise, infosec wraps around what you do, keeping you safe. Infosec is the function which keeps you servicing your customers. It protects your data. It ensures that [...]

Recent Tweets Recent Tweets