Breach of payment card data security standard leads to £175,000 ICO fine for insurer

Out-Law News | 26 Feb 2015 | 3:42 pm | 2 min. read

An online travel insurance company that stored sensitive payment card details in breach of payment card industry data security requirements has been fined £175,000 by the UK's Information Commissioner's Office (ICO) after the data was stolen by hackers.

The ICO said did not take sufficient steps to protect the security of the information it retained about its customers and was responsible for a serious breach of the Data Protection Act.

The watchdog found that failed to put processes in place to ensure that software updates were applied. This meant that known vulnerabilities in the software used by the company were able to be exploited by hackers who then managed to gain access to a customer database containing records on about three million customers.

Information that could be accessed by the hackers included their names, dates of birth, address, email addresses, phone number, travel dates and destinations and medical screening responses data. The compromised database also contained payment card information, including customers' payment card numbers, card expiry dates and the 'CVV' data – three digit security code (CVV) on the back of cards that is needed to authorise transactions.

The ICO said (12-page / 188KB PDF) that the evidence from its investigation "suggests that only payment card data was targeted and downloaded" by the hackers.

Although some of the payment card data was encrypted, the hackers were able to "identify the keys used in encrypting the data and then use these to decrypt the payment card numbers". had identified that it had wrongly stored CVV numbers and had decided to delete them, but "human error" meant that "the work to delete and cease storage of the CVV numbers was not completed" – protecting the CVV number is a key part of the PCI DSS requirements.

"At the time of the attack, a total of 110,096 live card details, relating to a total of 93,389 customers … were at risk of being accessed and used in fraudulent transactions," the ICO said.

The data breach was identified after was informed there had been "suspicious activity on customer accounts" by its "card acquirer". Subsequent evidence uncovered suggests hackers used the downloaded payment card data to "carry out fraudulent transactions", the ICO said.

A payment card data security standard, PCI DSS, implemented by the Payment Card Industry Security Standards Council, prohibits the storage of sensitive payment authentication data, including security codes on cards, by organisations.

Technology and payments expert Angus McFadyen of Pinsent Masons, the law firm behind, said the ICO's enforcement action confirms "the direction of travel in the UK" on payment card data security.

"Those that handle card data not only need to worry about PCI compliance being policed by the schemes, their members, and processing companies, but also need to have an eye on the ICO as a national regulator prepared to take action," McFadyen said.

"The obligation to comply with PCI standards is generally seen as a requirement imposed through a chain of contracts, with the card schemes at the top of the chain, but this is changing in the UK and the latest action from the ICO shows this. We haven’t yet gone as far as they have in, for example, some US states but over time we could well end up in a place where compliance is a statutory obligation," he said.

Under the Data Protection Act, data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Businesses that fail to meet this standard risk being fined up to £500,000 by the ICO if there is a serious personal data breach.

Steve Eckersley, head of enforcement at the ICO, said: "It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation."

Eckersley said the fine issued by the ICO "should send a clear message to other companies of the importance of proper IT security".