More than 93,000 customers affected

Travel insurer Staysure has informed customers that sensitive credit card details may have been stolen in a hack of its IT systems.

Staysure wrote to affected customers in December, saying that encrypted payment information such as credit card CVV security numbers, names and addresses had been stolen.

The travel insurer became aware of the breach in November and informed the FCA, Information Commissioner’s Office and the police.

Chief executive Ryan Howsam said in a statement: “In that attack, encrypted payment card details of customers who purchased insurance from us before May 2012 were stolen, along with CVV details and customer names and addresses. From May 2012 we ceased to store this data.

“We became aware of the problem on November 14, and quickly informed the relevant card issuing bodies and subsequently The Financial Conduct Authority, the Information Commissioner’s Office and the Police. We immediately hired independent forensic data experts to fully ascertain the extent of the problem and have written to 93,389 affected customers, which represents fewer than 7% of our customer base, to warn them and to ask them to check that they have not been the victims of any fraud as a result.”

One customer affected by the breach told the BBC she was angry that the information had been stored by the travel insurer unecrypted.

Francine Collison told the BBC: “[The firm’s explanation] suggests that the CVV number had been stored and had not been encrypted. That’s a security code and I’m astonished that they kept it, and in an unencrypted form.

“I can’t understand why I wasn’t informed earlier. They’d [Staysure] clearly been in contact with the Financial Conduct Authority, the Information Commissioner and the police, and it seems to me as a victim I was the last person to find out about it.”