Staysure hack leaves customers’ finances vulnerable

Insurance company blasted over unencrypted credit card details and customer notification procedures.

Data theft

Travel insurance provider to the over-50s Staysure has admitted customers may have had their financial information stolen during an October 2013 cyber attack.

The company has warned the encrypted payment card details of 93,000 customers who purchased insurance before May 2012 may have been stolen, along with unencrypted CVV details (the three digit security code on the back of cards). Customer names and addresses may also have been taken, it admitted.

A spokesperson for the company told IT Pro: "As soon as we became aware of the problem on November 14, we immediately removed the software and systems that the attackers exploited, and we are confident that we have taken the right steps to protect our customers in the future.

"We informed the relevant card issuing bodies straight away and subsequently The Financial Conduct Authority (FCA), the Information Commissioner's Office (ICO) and the police."

Independent consultants had also been brought in to work out what went wrong and how far-reaching the hack was, the spokesperson added.

Staysure's CEO has also issued a statement via the organisation's website, saying the firm is "deeply sorry and [is] working diligently to make sure that inconvenience to customers is minimised."

He also sought to reassure other customers, stating that if they have not been written to, they have not been affected.

However, the company's handling of the situation has been criticised on two fronts. Firstly, it took a month for the affected customers to be notified and the stored CVV information should never have been retained.

One customer told the BBC she was "astonished they kept [the CVV code] in an unencrypted form".

"I can't understand why I wasn't informed earlier. [Staysure] had clearly been in contact with the Financial Conduct Authority, the Information Commissioner and the police and it seems to me as a victim I was the last person to find out about it," the customer explained.

Staysure's spokesperson said, based on the advice it received, the company waited until it had identified the affected customers to prevent the spread of unnecessary worry. He added the company no longer retains any of its customers' financial information.

An ICO spokesperson confirmed it was investigating the hack.

"We have recently been made aware of a possible data breach which may involve Staysure. We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken," the spokesperson said.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021
Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Microsoft seizes domains used by Chinese hacking group
cyber attacks

Microsoft seizes domains used by Chinese hacking group

7 Dec 2021
Australia film archive gets $41.9 million to digitise audiovisual heritage
digitisation

Australia film archive gets $41.9 million to digitise audiovisual heritage

6 Dec 2021