{"id":1243,"date":"2015-03-02T09:00:48","date_gmt":"2015-03-02T09:00:48","guid":{"rendered":"http:\/\/www.halkynconsulting.co.uk\/a\/?p=1243"},"modified":"2015-04-18T11:07:46","modified_gmt":"2015-04-18T10:07:46","slug":"staysure-security-breach-leads-to-ico-fine","status":"publish","type":"post","link":"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/","title":{"rendered":"Staysure security breach leads to ICO Fine"},"content":{"rendered":"

The Information Commissioner’s Office announced on 24 Feb 2015 that it had levied a monetary penalty of \u00a3175,000 against the holiday insurance company Staysure. The fine came about as a result of Staysure suffering a\u00a0security breach on their website\u00a0which exposed more than 100,000 customer records and led to more than 5,000 customers having their credit cards used by fraudsters.<\/p>\n

What is really surprising about the ICO investigation – and almost certainly led to the fairly large fine for a private sector body – is the discovery that Staysure had some very serious security failings.<\/p>\n

The ICO reported<\/a> that:<\/p>\n

Attackers potentially had access to over 100,000 live credit card details, as well as customers\u2019 medical details. Credit card security numbers, the number on the signature strips on the back of the cards, were also accessible despite industry rules that they should not be stored at all.<\/p><\/blockquote>\n

The important bit is the last sentence. Staysure have massively failed to comply with the PCI-DSS guidelines and by retaining this data have exposed their customers to monumental risks.<\/p>\n

This is bad practice and any security professional would advise against it. In fact it is hard to see how this can be done while still complying with any of Staysure’s IT security policies, until you read further on in the announcement:<\/p>\n

The company had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software which could have prevented this incident. This left security flaws in the system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.<\/p><\/blockquote>\n

So, it seems that despite providing an insurance product, in a heavily regulated industry and handling large amounts of very sensitive personal and financial data for their customers, Staysure\u00a0failed to implement some basic security controls.<\/p>\n

Staysure has been in business for ten years and has been exploited for at least five of them.<\/p>\n

\"Staysure<\/a>
Staysure insurance fined for failing to have any security policies.<\/figcaption><\/figure>\n

It is hard to know what the impact to Staysure’s business will be as a result of this breach. It may be minor – beyond the fine- but for any company dealing with customer data this is a massive risk to have carried\u00a0for so long.<\/p>\n","protected":false},"excerpt":{"rendered":"

The Information Commissioner’s Office announced on 24 Feb 2015 that it had levied a monetary penalty of \u00a3175,000 against the holiday insurance company Staysure. The fine came about as a result of Staysure suffering a\u00a0security breach on their website\u00a0which exposed more than 100,000 customer records and led to more than 5,000 customers having their credit […]<\/p>\n","protected":false},"author":2,"featured_media":1244,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[5,21],"tags":[24,100,69,140,19],"class_list":["post-1243","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-security-risk-management","tag-data-protection","tag-dpa","tag-ico","tag-security","tag-srm","entry","has-media"],"jetpack_publicize_connections":[],"yoast_head":"\nStaysure security breach leads to ICO Fine<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Staysure security breach leads to ICO Fine\" \/>\n<meta property=\"og:description\" content=\"The Information Commissioner’s Office announced on 24 Feb 2015 that it had levied a monetary penalty of \u00a3175,000 against the holiday insurance company Staysure. The fine came about as a result of Staysure suffering a\u00a0security breach on their website\u00a0which exposed more than 100,000 customer records and led to more than 5,000 customers having their credit […]\" \/>\n<meta property=\"og:url\" content=\"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/\" \/>\n<meta property=\"og:site_name\" content=\"Halkyn Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2015-03-02T09:00:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2015-04-18T10:07:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2015\/02\/staysure.jpg?fit=1072%2C1080&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"1072\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Taz Wake - Halkyn Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/tazwake\" \/>\n<meta name=\"twitter:site\" content=\"@HalkynSecurity\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Taz Wake - Halkyn Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/#article\",\"isPartOf\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/\"},\"author\":{\"name\":\"Taz Wake - Halkyn Security\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/6eb0b544119827df120fb596772d25bc\"},\"headline\":\"Staysure security breach leads to ICO Fine\",\"datePublished\":\"2015-03-02T09:00:48+00:00\",\"dateModified\":\"2015-04-18T10:07:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/\"},\"wordCount\":393,\"commentCount\":0,\"publisher\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\"},\"keywords\":[\"Data Protection\",\"DPA\",\"ICO\",\"Security\",\"Security Risk Management\"],\"articleSection\":[\"Security\",\"Security Risk Management\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/\",\"name\":\"Staysure security breach leads to ICO Fine\",\"isPartOf\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#website\"},\"datePublished\":\"2015-03-02T09:00:48+00:00\",\"dateModified\":\"2015-04-18T10:07:46+00:00\",\"breadcrumb\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Halkyn Security\",\"item\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"http:\/\/www.halkynconsulting.co.uk\/a\/category\/security\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Staysure security breach leads to ICO Fine\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#website\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\",\"name\":\"Halkyn Security Blog\",\"description\":\"Specialist Security & Risk Management Consultants\",\"publisher\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.halkynconsulting.co.uk\/a\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\",\"name\":\"Halkyn Consulting\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1\",\"width\":\"990\",\"height\":\"170\",\"caption\":\"Halkyn Consulting\"},\"image\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/2329571\",\"https:\/\/twitter.com\/HalkynSecurity\"]},{\"@type\":\"Person\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/6eb0b544119827df120fb596772d25bc\",\"name\":\"Taz Wake - Halkyn Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6689803eeae3e16b54fab3a7a1dfd1a5ee70f3ca1a83e77278a1b1adfedc4260?s=96&d=retro&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6689803eeae3e16b54fab3a7a1dfd1a5ee70f3ca1a83e77278a1b1adfedc4260?s=96&d=retro&r=g\",\"caption\":\"Taz Wake - Halkyn Security\"},\"description\":\"Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.\",\"sameAs\":[\"http:\/\/www.halkynconsulting.co.uk\",\"https:\/\/twitter.com\/https:\/\/twitter.com\/tazwake\"],\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/author\/tazwake\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Staysure security breach leads to ICO Fine","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/","og_locale":"en_GB","og_type":"article","og_title":"Staysure security breach leads to ICO Fine","og_description":"The Information Commissioner’s Office announced on 24 Feb 2015 that it had levied a monetary penalty of \u00a3175,000 against the holiday insurance company Staysure. The fine came about as a result of Staysure suffering a\u00a0security breach on their website\u00a0which exposed more than 100,000 customer records and led to more than 5,000 customers having their credit […]","og_url":"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/","og_site_name":"Halkyn Security Blog","article_published_time":"2015-03-02T09:00:48+00:00","article_modified_time":"2015-04-18T10:07:46+00:00","og_image":[{"width":1072,"height":1080,"url":"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2015\/02\/staysure.jpg?fit=1072%2C1080&ssl=1","type":"image\/jpeg"}],"author":"Taz Wake - Halkyn Security","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/tazwake","twitter_site":"@HalkynSecurity","twitter_misc":{"Written by":"Taz Wake - Halkyn Security","Estimated reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/#article","isPartOf":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/"},"author":{"name":"Taz Wake - Halkyn Security","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/6eb0b544119827df120fb596772d25bc"},"headline":"Staysure security breach leads to ICO Fine","datePublished":"2015-03-02T09:00:48+00:00","dateModified":"2015-04-18T10:07:46+00:00","mainEntityOfPage":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/"},"wordCount":393,"commentCount":0,"publisher":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization"},"keywords":["Data Protection","DPA","ICO","Security","Security Risk Management"],"articleSection":["Security","Security Risk Management"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/#respond"]}]},{"@type":"WebPage","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/","url":"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/","name":"Staysure security breach leads to ICO Fine","isPartOf":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#website"},"datePublished":"2015-03-02T09:00:48+00:00","dateModified":"2015-04-18T10:07:46+00:00","breadcrumb":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2015\/03\/staysure-security-breach-leads-to-ico-fine\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Halkyn Security","item":"http:\/\/www.halkynconsulting.co.uk\/a\/"},{"@type":"ListItem","position":2,"name":"Security","item":"http:\/\/www.halkynconsulting.co.uk\/a\/category\/security\/"},{"@type":"ListItem","position":3,"name":"Staysure security breach leads to ICO Fine"}]},{"@type":"WebSite","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#website","url":"http:\/\/www.halkynconsulting.co.uk\/a\/","name":"Halkyn Security Blog","description":"Specialist Security & Risk Management Consultants","publisher":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.halkynconsulting.co.uk\/a\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization","name":"Halkyn Consulting","url":"http:\/\/www.halkynconsulting.co.uk\/a\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1","width":"990","height":"170","caption":"Halkyn Consulting"},"image":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/2329571","https:\/\/twitter.com\/HalkynSecurity"]},{"@type":"Person","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/6eb0b544119827df120fb596772d25bc","name":"Taz Wake - Halkyn Security","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6689803eeae3e16b54fab3a7a1dfd1a5ee70f3ca1a83e77278a1b1adfedc4260?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6689803eeae3e16b54fab3a7a1dfd1a5ee70f3ca1a83e77278a1b1adfedc4260?s=96&d=retro&r=g","caption":"Taz Wake - Halkyn Security"},"description":"Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.","sameAs":["http:\/\/www.halkynconsulting.co.uk","https:\/\/twitter.com\/https:\/\/twitter.com\/tazwake"],"url":"http:\/\/www.halkynconsulting.co.uk\/a\/author\/tazwake\/"}]}},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2015\/02\/staysure.jpg?fit=1072%2C1080&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9yHvD-k3","jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/1243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/comments?post=1243"}],"version-history":[{"count":3,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/1243\/revisions"}],"predecessor-version":[{"id":1247,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/1243\/revisions\/1247"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/media\/1244"}],"wp:attachment":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/media?parent=1243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/categories?post=1243"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/tags?post=1243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}