14 DAY TRIAL // A UK-based company offering holiday insurance policies has received a £175,000 (€240,000 / $269,000) fine from the Information Commissioner’s Office (ICO) for failing to protect customers’ payment card data.
Fraudsters managed to find a way into the computer infrastructure of Staysure.co.uk and gained access to more than 100,000 credit card records and customer medical details. ICO says that 5,000 clients had their payment card details used fraudulently after the attack.
It appears that the CVV (code verification value) codes, the three or four numbers on the back of the card, were also stored on the computer infrastructure, although this practice is completely against Payment Card Industry (PCI) standards.
Hackers had full access to the customer database
According to ICO, the company procedures for reviewing and updating security on the machines storing sensitive data were not available, allowing exploitable security flaws to be present for as long as five years.
“It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement.The company’s actions were unacceptable and this penalty notice reflects the severity of the situation,” says Steve Eckersley, Head of Enforcement at the ICO.
The cyber-attack occurred between October 14-28, 2013, and took advantage of a vulnerability in the JBoss Application Server used for the website.
Hackers were able to plant JspSpy on the server, a tool that allows uploading, downloading, archiving and deleting files through a web interface. It can also be used to launch a command console for a more extended set of operations.
Company fails to apply security patches, twice
A fix for the vulnerability was released by JBoss Application Server maintainers in 2010, and another update that would have plugged the security hole rolled out in 2013; but Staysure.co.uk failed to apply the patches on both occasions.
At the time of the incident, the customer database included personal information (names, dates of birth, email addresses, postal addresses, phone numbers, payment card numbers, card expiration dates, CVVs, travel dates and destination(s), and medical screening responses data) on about three million customers.
However, out of the wealth of details available, it appears that the hackers focused on the payment information only.