£175,000 fine for failing to keep personal information secure

The Information Commissioner’s Office (ICO) has fined a specialist on-line travel insurer £175,000 for failing to keep customers’ personal information secure.

The ICO found that, in October 2013, the firm’s website was subject to an attack by someone exploiting a vulnerability in the firm’s IT security. The IT failings let hackers access a database containing approximately 3 million customer records. Attackers potentially had access to over 110,000 live credit card details relating to over 90,000 customers, as well as customers’ medical details.

Credit card security numbers and the number on the signature strip on the back of the cards were also accessible, despite industry rules that they should not be stored.

The attack was discovered after the firm was notified by its card acquirer of suspicious activity on customer accounts. Over 5,000 customers had their credit cards used by fraudsters after the attack. Fortunately for the customers, those losses were reimbursed by the relevant banks.

The firm had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software that could have prevented this incident. This left security flaws in the firm’s system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.

The ICO commented that this fine should send a clear message to other companies of the importance of proper IT security.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s