Author Gary Hibberd
As fines go, £175,000 for a data breach sounds like a BIG deal. Who can afford to lose that can of money? But is it really?
The Information Commissioner’s Office handed out this fine to Staysure.co.uk after it was discovered in October last year that the insurance company suffered a hacker attack which saw over 110,000 live credit card details compromised from over 5,000 customers.
The fine therefore equates to approximately £1.59p per card or £35 per customer impacted. But what is most worrying are some of the facts behind the breach… The company stored the CVV number (the one on the back of your card) which they are NOT meant to store.
No Policies. No Procedures. No Chance.
The company had NO policies or procedures for the ongoing protection of its IT infrastructure which at the time of the attack contained in the region of 3 MILLION customer records including medical records and data held un-encrypted in ‘clear text’. Speaking personally, I think this is an unbelievable approach to such an important area of business (and the ICO appears to agree). We all would hope that the organisations we deal with are taking the protection of our personal information seriously – 3 million customers trusted this company and have been seriously let down.
Are you one of their customers? How are you feeling this morning about this news? Is it news? Were you informed?
Steve Eckersley, head of enforcement at the ICO is quoted as saying: “It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation.”
As a consultant I don’t often give things away for free, but I’m going to make an exception here; Send this blog to your CEO, MD, Board, Head of IT, CIO or any combination of this group. Ask them if they are confident that you have everything in place to PROACTIVELY manage Information Security in your organisation.
Ensure your senior management teams are aware of the ramifications of getting this wrong. This fine demonstrates that ‘human error’ and ‘ignorance’ will not protect you. Take steps. Take them now. The fines are coming and they’re getting bigger.
This does not take some ‘6th sense’ to see this that fines are coming and fines are getting bigger… “IC Fines People…” Make sure you’re not the next.
Agenci Information Security is responsible for protecting businesses from cyber threats, cyber-attack, internal threats and business outages. Agenci Information Security ensures clients systems are secure and provide peace of mind through a range of proven specialist information security solutions.
Please contact us here to speak to a member of our team.