An online travel insurance firm has been fined £175,000 by the Information Commissioner’s Office (ICO) for poor website security that let hackers easily access its systems and steal sensitive information.
Over 5,000 customers of Staysure.co.uk had their credit card information stolen and used by hackers, while 100,000 credit card details were put at risk, as well as other sensitive data such as names, addresses and medical details.
The incident occurred between 14 and 28 October 2013 when hackers exploited a vulnerability in the JBoss Application Server on which the site's web server was based.
The ICO discovered in its investigation (PDF) that Staysure had no policies in place to review and update IT security systems, meaning that two updates to the database software were not applied. This left flaws in its systems open for five years.
Staysure became aware of the incident only when the firm was contacted by its card acquirer to highlight fraudulent activity taking place on customer accounts.
Steve Eckersley, head of enforcement at the ICO, said that he found it “unbelievable” that a company entrusted with important and sensitive information had such lax security policies in place.
“Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation,” he said.
“The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security."
Staysure said that it will not contest the fine and has improved security to prevent any similar incident.
"The Financial Conduct Authority and the ICO are now satisfied that we have worked tirelessly to review all our systems to ensure full compliance," Staysure said in a statement.
"We have and will continue to take all the necessary steps to prevent any future breaches."
The fine will be reduced to £140,000 if Staysure pays by 24 March.
High street shoe retailer Office avoided a fine from the ICO earlier this year after a breach of its systems exposed details on over one million customers.
Apple's flagship iPhone X goes head-to-head against Samsung's freshly launched Galaxy S9 and S9+
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney