Online insurance firm Staysure has been fined £175,000 by privacy watchdog the Information Commissioner’s Office (ICO) after IT security failings exposed the details of 100,000 customers.
Over 5000 customers had their details used in follow-up ID fraud scams, although hackers “potentially” had access to many more credit card details, the ICO said in a statement.
The breach also exposed the medical details of affected customers, and the CVV number on the backs of cards, despite industry best practice stating clearly that this should not be stored at all, it added.
Not only did the firm breach the Data Protection Act, but it was also discovered that it had failed to update crucial database software which could have prevented the incident.
It also allowed IT security flaws to go unpatched for up to five years – flaws which were ultimately exploited by the attackers, the ICO claimed.
The watchdog’s head of enforcement, Steve Eckersley, said in a statement that he hopes the fine sends a “clear message” to UK firms on the importance of information security.
“It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure,” he added. “Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation.”
Chris McIntosh, CEO of security and comms firm ViaSat UK, argued that despite heavy fines from the ICO, the “lessons simply aren’t sinking in” for many.
“True IT security means much more than simply putting firewalls and anti-virus in place. It also means ensuring that systems are regularly tested and updated, and that there are no weak links where an attacker can gain access,” he said.
“For instance, there is no sense in having the best firewall money can buy if database software isn’t updated when appropriate. To begin with, organizations should ensure they have considered every potential gap in their security; from software to hardware to the potential for human error. Once they have accounted for all of these, the next step is to act as if the worst has already happened.”