Insurance firm Staysure fined £175,000 for 'unbelievable' credit card hack
The ICO's investigation notes read like a case study in the way that an accumulation of smaller mistakes and poor processes can lead over time to major security problems.
The compromise itself happened between 14th and 28th October 2013, during which time attackers were able to place the malicious Javascript 'JSPSpy' back door on the firm's website that made it possible to control the site and query the customer database sitting behind it.
The software vulnerability that made the attack possible turned out to be an old one in the JBoss Application Server that had been patched as far back as 2010. Incredibly, the travel firm had no defined process for applying security updates and so this one was missed.
Having broken in, the attackers had access to the entire customer database of three million but targeted a subset of 110,096 live card details they had been able to retrieve the encryption keys for. CVV numbers for these cards had also not been deleted "as a result of human error," meaning that the criminals were now free to attempt to use the cards.
Around 5,000 were subsequently used in fraud and attempted fraud, something only realised when the credit card processor informed the firm of an unusual number of suspect transactions.
The failings were not patching a known software flaw for years, incompetently securing the data in the database and not detecting these errors until it was too late.
"It's unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure," said ICO head of enforcement, Steve Eckersley.
"Keeping personal information secure is a basic legal requirement. The company's actions were unacceptable and this penalty notice reflects the severity of the situation. The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security."
The ICO has become adept at tailoring its fines to the perceived crimes it wants to punish. In this case, the long-term nature of the failings and chaotic management of risk counted against the firm. Fraud was also a direct outcome of poor security.
Only weeks ago it decided against fining shoe firm Office, despite hackers gaining access to a database of a million customers left 'parked' on server.