|Customer records containing payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.
|93,389 customer details containing 110,096 payment card records.
|14 October 2013
|A malicious attacker used a publicly known (since 2010) vulnerability in the JBoss Application Server to install a backdoor in the Staysure web server. This allowed the attacker to access and download all data stored within the system which included over three million customer records, although it appears that only payment card data was targeted by the attacker.
|Monetary penalty of £ 175,000.
|20 February 2015.
Why the regulator acted
|Breach of act
|Breach of the fifth data protection principle in that it was recognised that old payment card data should have been deleted, this activity was planned however due to human error it was not completed.
Breach of the seventh data protection principle as systems and processes were not in place to update software. Additionally PCI DSS prohibits the storage of CCV2/CvC2 data.
|Known or should have known
|The Data Controller was aware of the Payment Card Industry (PCI) Data Security Standard (DSS) which requires security update management and prohibits storage of CVV2/CVC2. The patch to JBoss was available from the RedHat distribution and so the Data Controller should have know about its availability. Given the Data Controller processed payment card data it should have been aware that a breach of this data would be liable to cause its customers substantial damage and distress.
|Likely to cause damage or distress
|Of the payment card data stollen, the Commissioner was aware that over 5,000 such payment cards were used to commit fraudulent transactions. Although the fraudulent transactions were reimbursed by the Data Subject’s bank, the Commissioner is of the opinion that distress had in fact occurred.
|View PDF of the Staysure Monetary Penalty Notice (Breach Watch Archive)
|View PDF of the Staysure Monetary Penalty Notice (Via ICO Website)