Staysure fails to comply with the PCI DSS and is fined £175,000 by the ICO

iStock_000024086772XSmall

Online travel insurance provider Staysure.co.uk has been fined £175,000 by the Information Commissioner’s Office, following a data breach involving payment card data caused by a cyber attack.

The company had stored three-digit card verification code data (also known as the card security code) – a practice that is expressly prohibited under the Payment Card Industry Data Security Standard (PCI DSS).

About 110,000 card details and 93,000 customers were affected by the hack.

The company allegedly found out about the breach on 14 November 2014, and issued a statement to affected customers:  “While the payment card number you provided was encrypted, some of the other personal data that you provided to us, including the 3 digit CVV number on the back of the card, may have been accessed.”

Despite the encryption, it enabled hackers to identify the keys used in encrypting the data, to decrypt the payment card numbers.

The compromise itself happened in October 2013, when attackers were able to place the malicious Javascript ‘JSPSpy’ backdoor on the firm’s website. This made it possible for the attackers to control the site and query the customer database sitting behind it.

The software vulnerability was an old one, and a software patch was published in 2010. Unfortunately, Staysure failed to apply this patch, leaving its website open to attack.

The company has been widely criticised for not implementing effective information security practices, considering their database includes the details of approximately three million customers. The travel firm had no defined process for applying security updates.

The chief executive, Ryan Howsam, said that the details were stored on legacy systems that were initially introduced to help customers with their renewal process.

The ICO found that Staysure.co.uk “failed to put processes in place to ensure that software updates were applied.”

Hackers were able to access customer names, dates of birth, addresses, email addresses, phone numbers, travel dates, travel destinations and medical information, in addition to payment card numbers, card expiry dates and CVVs.

Organisations that store, transmit or process cardholder data must comply with the PCI DSS. It is not just the electronic systems, but includes paper records such as receipts, mail order forms, etc., and recordings of phone conversations if they capture cardholder data being read out to call centre operators. IT Governance Ltd is an authorised PCI QSA, supplying the full range of PCI compliance, QSA audit and consultancy services.

PCI DSS v3.0 - What has changed?

 

Share now…

Share on Twitter Share on Facebook Share on LinkedIn