Travel insurance provider to the over-50s Staysure has admitted customers may have had their financial information stolen during an October 2013 cyber attack.
The company has warned the encrypted payment card details of 93,000 customers who purchased insurance before May 2012 may have been stolen, along with unencrypted CVV details (the three digit security code on the back of cards). Customer names and addresses may also have been taken, it admitted.
A spokesperson for the company told IT Pro: "As soon as we became aware of the problem on November 14, we immediately removed the software and systems that the attackers exploited, and we are confident that we have taken the right steps to protect our customers in the future.
"We informed the relevant card issuing bodies straight away and subsequently The Financial Conduct Authority (FCA), the Information Commissioner's Office (ICO) and the police."
Independent consultants had also been brought in to work out what went wrong and how far-reaching the hack was, the spokesperson added.
Staysure's CEO has also issued a statement via the organisation's website, saying the firm is "deeply sorry and [is] working diligently to make sure that inconvenience to customers is minimised."
He also sought to reassure other customers, stating that if they have not been written to, they have not been affected.
However, the company's handling of the situation has been criticised on two fronts. Firstly, it took a month for the affected customers to be notified and the stored CVV information should never have been retained.
One customer told the BBC she was "astonished they kept [the CVV code] in an unencrypted form".
"I can't understand why I wasn't informed earlier. [Staysure] had clearly been in contact with the Financial Conduct Authority, the Information Commissioner and the police and it seems to me as a victim I was the last person to find out about it," the customer explained.
Staysure's spokesperson said, based on the advice it received, the company waited until it had identified the affected customers to prevent the spread of unnecessary worry. He added the company no longer retains any of its customers' financial information.
An ICO spokesperson confirmed it was investigating the hack.
"We have recently been made aware of a possible data breach which may involve Staysure. We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken," the spokesperson said.
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three yearsNews Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring serviceNews New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customersNews The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessedNews The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breachNews The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
