The Information Commissioner’s Office announced on 24 Feb 2015 that it had levied a monetary penalty of £175,000 against the holiday insurance company Staysure. The fine came about as a result of Staysure suffering a security breach on their website which exposed more than 100,000 customer records and led to more than 5,000 customers having their credit cards used by fraudsters.
What is really surprising about the ICO investigation – and almost certainly led to the fairly large fine for a private sector body – is the discovery that Staysure had some very serious security failings.
The ICO reported that:
Attackers potentially had access to over 100,000 live credit card details, as well as customers’ medical details. Credit card security numbers, the number on the signature strips on the back of the cards, were also accessible despite industry rules that they should not be stored at all.
The important bit is the last sentence. Staysure have massively failed to comply with the PCI-DSS guidelines and by retaining this data have exposed their customers to monumental risks.
This is bad practice and any security professional would advise against it. In fact it is hard to see how this can be done while still complying with any of Staysure’s IT security policies, until you read further on in the announcement:
The company had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software which could have prevented this incident. This left security flaws in the system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.
So, it seems that despite providing an insurance product, in a heavily regulated industry and handling large amounts of very sensitive personal and financial data for their customers, Staysure failed to implement some basic security controls.
Staysure has been in business for ten years and has been exploited for at least five of them.
It is hard to know what the impact to Staysure’s business will be as a result of this breach. It may be minor – beyond the fine- but for any company dealing with customer data this is a massive risk to have carried for so long.