Breach details

What Customer records containing payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.
How much 93,389 customer details containing 110,096 payment card records.
When 14 October 2013
Why A malicious attacker used a publicly known (since 2010) vulnerability in the JBoss Application Server to install a backdoor in the Staysure web server. This allowed the attacker to access and download all data stored within the system which included over three million customer records, although it appears that only payment card data was targeted by the attacker.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 175,000.
When 20 February 2015.

Why the regulator acted

Breach of act Breach of the fifth data protection principle in that it was recognised that old payment card data should have been deleted, this activity was planned however due to human error it was not completed.
Breach of the seventh data protection principle as systems and processes were not in place to update software. Additionally PCI DSS prohibits the storage of CCV2/CvC2 data.
Known or should have known The Data Controller was aware of the Payment Card Industry (PCI) Data Security Standard (DSS) which requires security update management and prohibits storage of CVV2/CVC2. The patch to JBoss was available from the RedHat distribution and so the Data Controller should have know about its availability. Given the Data Controller processed payment card data it should have been aware that a breach of this data would be liable to cause its customers substantial damage and distress.
Likely to cause damage or distress Of the payment card data stollen, the Commissioner was aware that over 5,000 such payment cards were used to commit fraudulent transactions. Although the fraudulent transactions were reimbursed by the Data Subject’s bank, the Commissioner is of the opinion that distress had in fact occurred.