Monetary Penalty Notice for Insurance Company

February 25, 2015

An online holiday insurance company, the ironically titled Staysure, has been fined £175,000 by the ICO after IT security failings let hackers access customer records. More than 5,000 customers had their credit cards used by fraudsters after the attack on The full monetary penalty notice is available here.

Attackers potentially had access to over 100,000 live credit card details, as well as customers’ medical details. Credit card security numbers were also accessible despite industry rules that they should not be stored at all.

An ICO investigation found that the company had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software which could have prevented the incident. This left security flaws in the system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.

Steve Eckersley, Head of Enforcement at the ICO, said:

‘It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation. The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security.’

The facts behind the monetary penalty notice make for salutary reading. In October 2013 the Staysure web site was subject to an attack by someone exploiting a vulnerability in the JBoss Application Server on which its web site server was based. The attacker used this vulnerability to inject a malicious javascript webpage, JspSpy, and this created a backdoor to the web server allowing the attacker to remotely view and modify website source code and query the website’s backend database where customer data was being stored. It also enabled the attackers to open a command shell allowing them to remotely execute privileged operating system commands.

The vulnerability in the JBoss Application Server, and a software update to fix the issue, had been first published in 2010 and a similar vulnerability and software update was published in 2013. But there was no formal process for reviewing and applying software updates and nothing was done.

The evidence suggests that only payment card data was targeted and downloaded although a great deal of other personal data was available to the attacker.

Although payment card numbers, but not CVV numbers, were encrypted (from June 2008 at least), the attackers were able to identify the keys used in encrypting the data and then use these to decrypt the payment card numbers.

The investigation shows that the data controller stored CVV numbers to assist with renewals of policies and, though it was realised in 2012 that they should not have been held, deletion never took place.

The attack was discovered only after the data controller was notified by its card acquirer of suspicious activity on customer accounts.

One ground of mitigation in determining the amount of the penalty may be of particular interest:

‘The data controller subsequently notified the data subjects of the security breach and provided a dedicated response team to assist customers together with a free Experian Data Patrol subscription for a period of six months.’