An online travel insurance firm has been fined £175,000 by the Information Commissioner’s Office (ICO) for poor website security that let hackers easily access its systems and steal sensitive information.
Over 5,000 customers of Staysure.co.uk had their credit card information stolen and used by hackers, while 100,000 credit card details were put at risk, as well as other sensitive data such as names, addresses and medical details.
The incident occurred between 14 and 28 October 2013 when hackers exploited a vulnerability in the JBoss Application Server on which the site's web server was based.
The ICO discovered in its investigation (PDF) that Staysure had no policies in place to review and update IT security systems, meaning that two updates to the database software were not applied. This left flaws in its systems open for five years.
Staysure became aware of the incident only when the firm was contacted by its card acquirer to highlight fraudulent activity taking place on customer accounts.
Steve Eckersley, head of enforcement at the ICO, said that he found it “unbelievable” that a company entrusted with important and sensitive information had such lax security policies in place.
“Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation,” he said.
“The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security."
Staysure said that it will not contest the fine and has improved security to prevent any similar incident.
"The Financial Conduct Authority and the ICO are now satisfied that we have worked tirelessly to review all our systems to ensure full compliance," Staysure said in a statement.
"We have and will continue to take all the necessary steps to prevent any future breaches."
The fine will be reduced to £140,000 if Staysure pays by 24 March.
High street shoe retailer Office avoided a fine from the ICO earlier this year after a breach of its systems exposed details on over one million customers.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago