The Information Commissioner’s Office (ICO) has published the monetary penalty notice it has issued to Staysure.co.uk Ltd, a specialist online travel insurer, imposing a fine of £175,000 for failing to keep customers’ personal information secure, in breach of the Data Protection Act 1998 (DPA 1998).
The ICO found that the firm’s website had been attacked by someone exploiting a vulnerability in the firm’s IT security. The IT failings let hackers access a database containing approximately three million customer records. Attackers potentially had access to over 110,000 live credit card details relating to over 90,000 customers, as well as customers’ medical details. Over 5,000 customers had their credit cards used by fraudsters after the attack.
The firm had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software that could have prevented this incident. This left security flaws in the firm’s system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.