2013 ended just as it had begun with yet another cyber-attack against a firm holding customer data. The personal and confidential information of thousands of Staysure customers was stolen by hackers. The cyber-attack saw the credit card details of nearly 100,000 travel insurance customers compromised. The travel insurance provider has revealed that card payment details of customers who purchased insurance from Staysure before May 2012 were stolen, including CVV details (the three digit number on the back of a card required to make purchases) and customer names and addresses. Customers who purchased insurance after this date were not affected by the hack as the company no longer stored the type of data that was stolen.
It appears that the security breach initially took place in October, 2013. Unfortunately Staysure only became aware of the hack on 14 November. The Financial Conduct Authority, the Information Commissioner’s Office and the Police were immediately notified about the breach, but it took until the middle of December before customers affected by the cyber-attack were finally notified.
Ryan Howsam, chief executive of Staysure, apologised for the delay in notifying customers but insisted that the company had acted as swiftly as it could:
“We locked down our systems. We deleted all of the card data from our live systems and brought in forensic IT specialists to fully ascertain the extent of the problem. We immediately removed the software and systems that the attackers exploited, and we are confident that we have taken the right steps to protect our customers in the future. We have written to 93,389 affected customers, which represents fewer than 7 per cent of our customer base, to warn them and ask them to check that they have not been the victims of any fraud as a result.”
In a letter written to customers affected by the security breach Staysure stated:
“While the payment card number you provided was encrypted, some of the other personal data that you provided to us, including the 3 digit CVV number on the back of the card, may have been accessed. Although you will understand that this cannot be used without the payment card number, there is still a risk that by using our records combined with [hacked] data obtained from elsewhere, it may be possible for your card to be used fraudulently. We are deeply sorry that this has happened and are working diligently to make sure that inconvenience to customers is minimised.”
The company has now offered affected customers free access to Data Patrol, an identity fraud monitoring service provided by Experian, and also assured customers that the problem was unlikely to reoccur as Staysure no longer kept customers’ CVV numbers: “these were legacy systems. We initially stored [them] to help customers with their renewal process.”
However, despite these reassurances, customers and the authorities were still angry about the way this confidential information had been kept. One customer told a BBC reporter:
“[The firm’s explanation] suggests that the CVV number had been stored and had not been encrypted. That’s a security code and I’m astonished that they kept it and in an unencrypted form.”
She added: “I can’t understand why I wasn’t informed earlier. They’d [Staysure] clearly been in contact with the Financial Conduct Authority, the Information Commissioner and the police, and it seems to me as a victim I was the last person to find out about it.”
The Information Commissioner’s Office (ICO) said it was making enquiries into the incident, but added that the law did not require firms to notify customers following a breach. However, a spokesperson for Financial Fraud Action UK, representing the bank card industry, expressed disquiet at Staysure’s apparent lax security arrangements, stating:
“The holding and storage of the three-digit Card Verification Code data by merchants and payment intermediaries is expressly prohibited under card schemes rules.”
Sir Alan Beith, MP for Berwick on Tweed and chair of the House of Commons Justice Select Committee which monitors the ICO, said companies needed to react quickly to let people know when security breaches took place.
“I think customers are entitled to be informed as soon as a company knows and that should be much clearer. This raises questions which I’d like to pursue with the Information Commissioner.”
If your organisation needs help with security auditing, penetration testing or web security solutions, please contact Krypsys on 01273 044072 or [email protected].