An online travel insurance firm has been fined £175,000 by the Information Commissioner’s Office (ICO) for poor website security that let hackers easily access its systems and steal sensitive information.
Over 5,000 customers of Staysure.co.uk had their credit card information stolen and used by hackers, while 100,000 credit card details were put at risk, as well as other sensitive data such as names, addresses and medical details.
The incident occurred between 14 and 28 October 2013 when hackers exploited a vulnerability in the JBoss Application Server on which the site's web server was based.
The ICO discovered in its investigation (PDF) that Staysure had no policies in place to review and update IT security systems, meaning that two updates to the database software were not applied. This left flaws in its systems open for five years.
Staysure became aware of the incident only when the firm was contacted by its card acquirer to highlight fraudulent activity taking place on customer accounts.
Steve Eckersley, head of enforcement at the ICO, said that he found it “unbelievable” that a company entrusted with important and sensitive information had such lax security policies in place.
“Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation,” he said.
“The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security."
Staysure said that it will not contest the fine and has improved security to prevent any similar incident.
"The Financial Conduct Authority and the ICO are now satisfied that we have worked tirelessly to review all our systems to ensure full compliance," Staysure said in a statement.
"We have and will continue to take all the necessary steps to prevent any future breaches."
The fine will be reduced to £140,000 if Staysure pays by 24 March.
High street shoe retailer Office avoided a fine from the ICO earlier this year after a breach of its systems exposed details on over one million customers.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment