Wednesday, 25 February 2015

ICO Fines Hacked Insurance Firm £175,000

The Information Commissioner's Office has handed out a £175,000 fine to Staysure.co.uk after the insurance company's data breach last year, which saw an unidentified hacker compromise 5,000 customers and access up to 110,000 live credit card details.  
Following the breach in October, the ICO has investigated the company's IT security practises and found that hackers had potential access to up to 110,000 live credit card details – including the three-digit security numbers (which should not be stored) – as well as customer medical records.
The hackers in question, however, only targeted and downloaded card information. At the time of the breach, the hacked database contained three million customer records.
The watchdog found that the company had breached the 1998 Data Protection Act by failing to keep personal information secure, while it also had no policy or procedures to review and update IT security systems.
In addition, it had twice failed to update (and thus remove flaws in) its database software, which the ICO says would have prevented this incident. As a result, the hackers exploited the flaws relating to the JBoss application server by injecting a malicious JavaScript webpage to create a backdoor onto the company's website. This flaw is said to have remained active for five years.

No comments:

Post a comment