The Information Commissioner’s Office (ICO) has fined a specialist on-line travel insurer £175,000 for failing to keep customers’ personal information secure.
The ICO found that, in October 2013, the firm’s website was subject to an attack by someone exploiting a vulnerability in the firm’s IT security. The IT failings let hackers access a database containing approximately 3 million customer records. Attackers potentially had access to over 110,000 live credit card details relating to over 90,000 customers, as well as customers’ medical details.
Credit card security numbers and the number on the signature strip on the back of the cards were also accessible, despite industry rules that they should not be stored.
The attack was discovered after the firm was notified by its card acquirer of suspicious activity on customer accounts. Over 5,000 customers had their credit cards used by fraudsters after the attack. Fortunately for the customers, those losses were reimbursed by the relevant banks.
The firm had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software that could have prevented this incident. This left security flaws in the firm’s system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.
The ICO commented that this fine should send a clear message to other companies of the importance of proper IT security.