Information Commissioner’s Office takes action for poor data security which resulted in a hacking attack and fraud
February 26, 2015 |
The Federal Trade Commission in the United States of America and the Information Commissioner’s Office in the United Kingdom are building up a significant number of enforceable undertakings and fines/monetary penalty notices which gives form and substance to the legislative regimes regulating privacy. Given the general drafting of guidelines and the legislative itself this body of work provides some clarity on the approach of the regulators as well as sending a message to the market of what will not be tolerated. In levying a hefty fine, some £175,000, on a holiday insurance company, Staysure, the ICO has made it clear that easily avoidable errors in maintaining cyber security programs and poor maintenance of credit card records which permitted both the hack and easy access to 5000 clients credit card details have consequences.
Often once a breach occurs and the regulators review what has happened they discover a lack of policies in place to review and update IT security systems, poor training, no structure for reporting and responding the breach within the organisation let alone outside and confusion between various departments within an organisation. That makes a bad situation so much worse . Part of that happened with this investigation.
The media release provides:
An online holiday insurance company has been fined £175,000 by the ICO after IT security failings let hackers access customer records.
More than 5,000 customers had their credit cards used by fraudsters after the attack on Staysure.co.uk.
Attackers potentially had access to over 100,000 live credit card details, as well as customers’ medical details. Credit card security numbers, the number on the signature strips on the back of the cards, were also accessible despite industry rules that they should not be stored at all.
An ICO investigation found the company had breached the Data Protection Act by failing to keep the personal information secure. The company had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software which could have prevented this incident. This left security flaws in the system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.
Steve Eckersley, Head of Enforcement at the ICO, said:
“It’s unbelievable to think that a company holding three million customer records did not have the procedures in place to keep that information secure. Keeping personal information secure is a basic legal requirement. The company’s actions were unacceptable and this penalty notice reflects the severity of the situation.”
“The fine issued by the ICO today should send a clear message to other companies of the importance of proper IT security.”
The enforcement notice is found here, and relevantly provides, absent numbering:
Background
The data controller is a specialist online travel insurer offering multiple insurance products such as travel, health, life, holiday, home and car insurance to the general public.
Between 14 and 28 October 2013 the data controller’s website was subject to an attack by someone exploiting a vulnerability in the JBoss Application Server on which its website server was based.
The attacker used this vulnerability to inject a malicious javascript webpage called “JspSpy” into the data controller’s website.This created a backdoor to the web server allowing the attacker to remotely view and modify website source code and query the website’sbackend database where customer data was being stored. It also enabled the attackers to open a command shell allowing them to remotely execute privileged operating system commands.
The vulnerability in the JBoss Application Server, and a software update to fix the issue, had been first published in 2010. A similar vulnerability and software update was subsequently published in 2013.However, the data controller did not have a formal process for reviewing and applying software updates and did not apply the available updates.
At the time of the attack, the data controller’s database contained approximately three million customer records. Those records included customer name, date of birth, email address, postal address, phone number, payment card number, card expiry, card CVV, travel dates and destination(s) and medical screening responses data. Whilst all of this information was potentially at risk, the evidence suggests that only payment card data was targeted and downloaded.
Prior to June 2008 payment card numbers were held in a plaintext format and unencrypted within the data controller’s database along with the customer name, expiry dates and CVV number.
From June 2008 payment card numbers, but not CVV numbers, were encrypted. However, having gained access to the data controller’s entire system, the attackers were able to identify the keys used in encrypting the data and then use these to decrypt the payment card numbers.
The data controller stored CVV numbers to assist with renewals of policies. In 2012 the data controller identified that CVV numbers should not have been stored and a decision was taken to delete them.However, as a result of human error the work to delete and cease storage of the CVV numbers was not completed.
Since 16 May 2012, 95% of all customer transactions were processed via a new separate and external system which removed the need to store card data on the web server. However, CVV data continued to be stored in relation to the remaining 5% of transactions until the breach was discovered.
At the time of the attack, a total of 110,096 live card details,relating to a total of 93,389 customers, stored on the old system were at risk of being accessed and used in fraudulent transactions.
The attack was discovered after the data controller was notified by its card acquirer of suspicious activity on customer accounts.
Multiple IP addresses are known to have accessed and downloaded customer data from the data controller’s web server. There is evidence that attackers downloaded payment card data and used this information to carry out fraudulent transactions.
Grounds on which the Commissioner proposes to serve a monetary penalty notice
The relevant provision of the Act is the Seventh Data Protection Principle which provides, at Part I of Schedule 1 to the Act,that:
“Appropriate technical and organisational measures shall betaken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Paragraph 9 at Part II of Schedule 1 to the Act provides that:
“Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to–
the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle,and
the nature of the data to be protected”.
In deciding to issue this Notice of Intent, the Commissioner has considered the facts of the case and the deliberations of those within his office who have recommended this course of action. In particular, he has considered whether the criteria for the imposition of a monetary penalty have been met; whether, given the particular circumstances of this case and the underlying objective in imposing a monetary penalty, the imposition of such a penalty is justified; and whether the amount of the proposed penalty is proportionate.
Serious (S55A(1)(a))
The Commissioner is satisfied that there has been a serious contravention of the Seventh Data Protection Principle.
In particular, the data controller failed to take appropriate technical measures against the unauthorised or unlawful processing, or accidental loss, of personal data by:
Failing to have adequate policies and systems in place for checking, reviewing and applying available software security updates.
Storing payment card CVV numbers on its database in breach of the Payment Card Industry Data Security Standard.
The contravention is serious because these failings enabled an attacker to enter the data controller’s systems and access unencrypted card data which is known to have been fraudulently used. The measures taken by the data controller did not ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or data loss, and the volume and nature of the data to be protected.
Likely to cause substantial damage or substantial distress (S55A(1) (b))
The Commissioner is satisfied that the contravention is of a kind likely to cause substantial damage or substantial distress.
Active payment card data was obtained and there is evidence of fraud having taken place. Following the breach, over 5000 payment card details were reported to have been used in fraudulent transactions. However, losses arising were reimbursed by the banks. Therefore,not only was the contravention of a kind likely to cause substantial damage or distress, but there is evidence to suggest that it may in fact have caused distress.
The data subjects would also be likely to suffer from substantial distress on being informed that their personal data had been accessed by an unauthorised third party and could have been further disclosed.The knowledge of this access alone is likely to cause substantial distress.
Knew or ought to have known that there was a risk that the contravention would occur and that it would be of a kind likely to cause substantial damage or distress (S55A (3)(a)(i) and(ii)).
The Commissioner is satisfied that section 55A(3) of the Act applies in that the data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.
The data controller should have been aware of the risks associated with any compromise of payment card and card holder data due to the nature of the data being collected. The data controller was also aware of the Payment Card Industry Data Security Standard covering security related issues, and that there was a particular risk in storing CVV numbers.
Information about the security vulnerability in the JBoss Application Server, and the appropriate update to fix that vulnerability, was first published in the Common Vulnerabilities and Exposures List in 2010. Information about a similar vulnerability was published in 2013.The update was also made available via the software repositories oftheLinux distribution in use by the data controller, namely RedHat.
In the circumstances, the data controller knew or ought to have known that there was a risk that the contravention would occur unless reasonable steps were taken to prevent the contravention, such as those outlined above.
Further, it should have been obvious to the data controller who was aware of the nature and amount of the personal data processed stored on the system, that such a contravention would be of a kind likely to cause substantial damage or substantial distress to the data subjects.
Aggravating features the Commissioner has taken into account in determining the amount of a monetary penalty
Effect of the contravention
There is evidence that some of the personal data was used for
fraudulent transactions.
Behavioural issues
The data controller should have been aware of the vulnerability in 2010.
Impact on the data controller
The data controller is a limited company so liability to pay a monetary penalty will not fall on any individual.
The data controller has access to sufficient financial resources to pay the proposed monetary penalty without causing undue financial hardship.
Mitigating features the Commissioner has taken into account in determining the amount of the monetary penalty
Nature of the contravention
The data controller’s systems were subjected to a criminal attack.
The data controller has not experienced any previous data or similar security breach that the Commissioner is aware of.
Behavioural issues
The data controller was in the process of upgrading its IT infrastructure at the time of the breach.
Voluntarily reported to the Information Commissioner’s Office.
The data controller has been co-operative with the Information Commissioner’s Office.
The data controller took remedial action to remove all payment card data from its systems.
The data controller subsequently notified the data subjects of the security breach and provided a dedicated response team to assist customers together with a free Experian Data Patrol subscription for a period of six months.
Other considerations
The Fifth Data Protection Principle at Part I of Schedule 1 to the Act was also contravened in that payment card CVV numbers were stored on the data controller’s systems for longer than was necessary.
The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the Act and this is an opportunity to reinforce the need for data controllers to ensure that appropriate and effective security measures are applied to personal data stored on their information technology systems.
Notice of Intent
A notice of intent dated 18 December 2014 was served on the data controller. The Commissioner received written representations from the data controller in response to the notice of intent dated 27January2015. The Commissioner has considered those representations when deciding whether to serve a monetary penalty notice. In particular,the Commissioner has taken the following steps:
reconsidered the amount of the monetary penalty generally,and whether it is a reasonable and proportionate means of achieving the objective which the Commissioner seeks to achieve by this imposition;
ensured that the monetary penalty is within the prescribed limit of £500,000; and
ensured that the Commissioner is not, by imposing a monetary penalty, acting inconsistently with any of his statutory or public law duties and that a monetary penalty notice will not impose undue financial hardship on an otherwise responsible data controller.
Amount of the monetary penalty
The Commissioner considers that the contravention of the Seventh Data Protection Principle is very serious and that the imposition ofamonetary penalty is appropriate. Further that a monetary penalty in the sum of £175,000 (one hundred and seventy five thousand pounds) is reasonable and proportionate given the particular facts oft he case and the underlying objective in imposing the penalty.
In reaching this decision, the Commissioner considered other cases of a similar nature in which a monetary penalty had been imposed,and the facts and aggravating and mitigating features referred to above.
The reportage of this event has been detailed. The fine has been reported at ICO fines travel insurance firm £175,000 for website hack.
[…] Information Commissioner’s Office takes action for poor data security which resulted in a hacking … […]