An online travel insurance company responsible for storing sensitive payment card details was found to be in breach of payment card industry data security requirements. As a result, on February 20, 2015, it was fined £175,000 by the UK’s Information Commissioner’s Office (ICO) after the data had been stolen by hackers.
According to the ICO, the travel insurance company Staysure.co.uk (“Staysure”) did not take sufficient steps to secure the information it retained about its customers and was responsible for a serious breach of the Data Protection Act. The ICO found that Staysure failed to put processes into place to ensure software updates were applied, leading to vulnerabilities in the company’s IT systems.
This allowed hackers to gain access to a customer database containing records on around three million customers. This database included information such as names, dates of birth, addresses (email and post), phone numbers, travel dates and destinations and medical screening responses data.
The compromised database contained payment card information, including over 100,000 sets of credit card details relating to more than 90,000 individual customers. This involved payment card numbers, card expiry dates and the CVV data (the three-digit security code on the backs of cards used to authorize transactions). These stolen details were then used in relation to more than 5,000 fraudulent transactions.
Although some of the payment card data was encrypted, hackers were able to “identify the keys used in encrypting the data and then use these to decrypt the payment card numbers.” Staysure had identified that it had incorrectly stored CVV numbers and later decided to delete them, but “human error” meant that “the work to delete and cease storage of the CVV numbers was not completed.” It’s a known fact that protecting the CVV number is a key component in the PCI DSS requirements.
The ICO’s Verdict
In its monetary penalty notice, the ICO outlined a number of factors taken into account when imposing the fine:
- Aggravating Factors – It took into account the evidence that personal data was used for fraudulent transactions and the fact that Staysure should have been aware of its software vulnerability as early as 2010.
- Mitigating Factors – Staysure was the victim of a criminal attack. The company was in the process of upgrading its IT systems at the time of the breach and it voluntarily reported the breach and remained cooperative with the ICO’s investigation. It also notified affected customers and took remedial action to remove payment card data from its systems.
Under the Data Protection Act, data controllers are required to take “appropriate technical and organization measures” to ensure against the “unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Businesses that fail to meet this standard risk being fined up to £500,000 by the ICO if it is deemed a serious personal data breach.
According the Steve Eckersley, head of enforcement at the ICO:
“It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation.”
The ICO intends that this fine should “send a clear message to other companies of the importance of proper IT security.”
In late February, the UK’s Information Commissioner’s Office (ICO) fined online travel insurer Staysure, for failing to protect customers’ personal data, particularly for failing to implement processes to ensure technical vulnerabilities were being addressed.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Europe (CIPP/E) exam, as well as the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- European data protection law and regulation – data subjects rights (CIPP/E; II.F.)
- European data protection law and regulation – notification requirements (CIPP/E; II.H.)
- Data types – credit card information (CIPP/IT; I.A.c.iii.)
- PCI regulated data (CIPP/IT; I.C.c.i.)