The Information Commissioners Office (“ICO”) has fined Staysure, an online holiday insurance company, £175,000, after weaknesses in their online security allowed hackers access to approximately three million customer records.
During the period of 14 – 28 October 2013, the hackers potentially had access to a large amount of customer data. The records that were potentially exposed included: over 100,000 live credit card details; medical records; and CVV numbers (the security number
above the signature strip on a card), which should not be stored, according to standards set by the Payment Card Industry Security Standards Council.
This potential exposure is only observed retrospectively and in fact the ICO’s investigation suggested that in reality only payment card data was targeted and downloaded and more than 5,000 customers had their credit cards used by the hackers after the attack.
The reason for the weaknesses in the security was found to be that Staysure did not have any policies or procedures for reviewing and updating their IT security systems. Staysure had failed to update their software twice, which left security gaps, some of which
were left open for five years.
The basis for the ICO fine was that Staysure had breached the seventh principle of the Data Protection Act 1998 (the "DPA"): “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against
accidental loss or destruction of, or damage to, personal data.”
The Head of Enforcement at the ICO said:
"It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable
and this penalty notice reflects the severity of the situation.”
Lessons for Businesses
The ICO have chosen Staysure because theirs is a rather extreme example of a poor security system. However, the obvious aim of the ICO in publishing this fine is to send a clear message to other businesses about the importance of having an up to date and secure
IT security system.
The case also serves as a reminder that companies dealing with payment card details must remember to comply with not only the DPA, but also the "PCIDSS", the strict data security standard set by the Payment Card Industry Security Standards Council.
Please see below a checklist that should provide useful guidance for businesses to follow to ensure that they have an adequate online security system. It is important for businesses to follow the simple actions and basic behaviours below:
1. Download software updates: Ensure that your IT department downloads software and applies updates as soon as they appear. They contain vital security upgrades that keep devices and business information safe.
2. Use strong passwords: Use strong passwords made up of at least three random words. Using lower and upper case letters, numbers and symbols will make your passwords even stronger.
3. Delete suspicious emails: Delete suspicious emails as they may contain fraudulent requests for information or links to viruses.
4. Use anti-virus software: Computers, tablets and smartphones can easily become infected by small pieces of software known as viruses or malware. Install internet security software like anti-virus on all your devices to help prevent infection.
5. Train staff: Make staff aware of cyber security threats and how to deal with them.
The above principles are advice in relation to cyber security at the most basic level and whilst they are of crucial importance they are not specific enough to ensure total online security.
To discuss any of the issues raised in this article please contact
Stephen Foster, Corporate Partner at firstname.lastname@example.org or by telephoning 0161 833 9211.
The information and opinions contained in this article are not intended to be comprehensive or to provide legal advice. No responsibility for the article’s accuracy or correctness is assumed by Berg or any of its partners or employees. Professional legal
advice should be obtained before taking, or refraining from taking, any action as a result of the contents of this article.