Information Commissioner's Office
ICO fines insurance firm after hacked card details used for fraud
An online holiday insurance company has been fined £175,000 by the ICO after IT security failings let hackers access customer records.
More than 5,000 customers had their credit cards used by fraudsters after the attack on Staysure.co.uk.
Attackers potentially had access to over 100,000 live credit card details, as well as customers’ medical details. Credit card security numbers, the
number on the signature strips on the back of the cards, were also accessible despite industry rules that they should not be stored at all.
An ICO investigation found the company had breached the Data Protection Act by failing to keep the personal information secure. The company had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software which could have prevented this incident. This left security flaws in the system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.
Steve Eckersley, Head of Enforcement at the ICO, said recently:
“It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legalrequirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation.”
“The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security.”
If you need more information, please contact the ICO press office on 0303 123 9070.
Notes to editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter.Our Press Office page provides more information for journalists.
- Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
Latest News from
Information Commissioner's Office
ICO fines four firms targeting people with home improvement predatory marketing calls04/10/2022 09:10:00
The Information Commissioner’s Office (ICO) has fined four companies a total of £370,000 for making over 820,000 home improvement predatory marketing calls to people registered with the Telephone Preference Service.
Action taken against SEVEN organisations who failed in their duty to respond to information access requests29/09/2022 12:25:00
The Information Commissioner’s Office (ICO) has taken action against seven organisations who have failed to respond to the public when asked for personal information held about them, known as a Subject Access Request (SAR).
Director’s Update – International Day for Universal Access to Information 202228/09/2022 12:25:00
This is the fourth in a series of updates from Warren Seddon, Director of FOI and Transparency.
ICO could impose multi-million pound fine on TikTok for failing to protect children’s privacy26/09/2022 14:10:00
TikTok could face a £27 million fine after an ICO investigation found that the company may have breached UK data protection law, failing to protect children’s privacy when using the TikTok platform.
ICO launches second consultation on the draft Data protection and journalism code21/09/2022 14:10:00
The Information Commissioner’s Office (ICO) has launched a second consultation on a draft code of practice about using personal data for journalism (the code).
Tribute to Her Majesty The Queen09/09/2022 14:20:00
Statement given by John Edwards, Information Commissioner.
ICO takes action against two government departments for failing to comply with the Freedom of Information Act 200009/09/2022 12:25:00
The Information Commissioner’s Office (ICO) has issued an enforcement notice to the Department for International Trade (DIT) and a practice recommendation to the Department for Business, Energy and Industrial Strategy (BEIS), for persistent failures to respond to information access requests within the statutory time limit.
ICO publishes guidance on privacy enhancing technologies07/09/2022 15:15:00
The Information Commissioner’s Office (ICO) has published draft guidance on privacy-enhancing technologies (PETs) to help organisations unlock the potential of data by putting a data protection by design approach into practice.