Top 50 broker Staysure slammed by Information Commissioner’s Office for ‘unbelievable’ security failures
The Information Commissioner’s Office (ICO) has hit over-50s personal lines broker Staysure with a £175,000 fine after its customer records were hacked and used for fraud.
More than 5,000 customers had their credit cards used by fraudsters.
Hackers potentially had access to more than 100,000 live credit card details and customer medical records. The ICO was especially critical of the way credit card security numbers were exposed, despite industry rules that they should not be kept at all.
The ICO investigation found that Staysure had breached the Data Protection Act by failing to keep the personal information secure.
The company had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software that could have prevented the incident.
This left security flaws in the system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.
ICO head of enforcement Steve Eckersley said: “It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure.
“Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation.
“The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security.”