Staysure.co.uk Limited

Breach details

What Customer records containing payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.
How much 93,389 customer details containing 110,096 payment card records.
When 14 October 2013
Why A malicious attacker used a publicly known (since 2010) vulnerability in the JBoss Application Server to install a backdoor in the Staysure web server. This allowed the attacker to access and download all data stored within the system which included over three million customer records, although it appears that only payment card data was targeted by the attacker.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 175,000.
When 20 February 2015.

Why the regulator acted

Breach of act Breach of the fifth data protection principle in that it was recognised that old payment card data should have been deleted, this activity was planned however due to human error it was not completed.
Breach of the seventh data protection principle as systems and processes were not in place to update software. Additionally PCI DSS prohibits the storage of CCV2/CvC2 data.
Known or should have known The Data Controller was aware of the Payment Card Industry (PCI) Data Security Standard (DSS) which requires security update management and prohibits storage of CVV2/CVC2. The patch to JBoss was available from the RedHat distribution and so the Data Controller should have know about its availability. Given the Data Controller processed payment card data it should have been aware that a breach of this data would be liable to cause its customers substantial damage and distress.
Likely to cause damage or distress Of the payment card data stollen, the Commissioner was aware that over 5,000 such payment cards were used to commit fraudulent transactions. Although the fraudulent transactions were reimbursed by the Data Subject’s bank, the Commissioner is of the opinion that distress had in fact occurred.

Worldview Limited

Breach details

What Customer records containing encrypted payment card data including CVV2/CVC2 data were extracted from a public-facing website by a malicious attacker.
How much 3,814 records.
When 18 June 2013
Why A single web server also contained the customer database and the WordPress content management system. A malicious attacker used SQL injection techniques to extract the WordPress password hashes which the attacker was then able to brute force due to the use of weak passwords. The attacker was then able to extract records from the database including encrypted payment data, however the encryption keys were stored on the same drive as the encrypted data and therefore available to the attacker.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 7,500.
When 31 October 2014.

Why the regulator acted

Breach of act Breach of the seventh principle in that insufficient technical and organisational measures were taken. The ICO highlighted:

  • Developer training
  • Security testing of web pages
  • Use of default passwords
  • Encryption/Decryption key management
Known or should have known The Data Controller was aware of The Payment Card Industry (PCI) Data Security Standard (DSS) and therefore should have been aware of the risks and the recommended controls.Given the nature of the information stored, it should have also been obvious to the Controller that a breach in security would be liable to cause damage or distress to the data subjects.
Likely to cause damage or distress The ICO argues that the loss of payment card data could lead to fraud and substantial damage to the data subjects affected (even though there was no evidence of this). The knowledge of the loss of their personal data would cause ‘substantial distress’ to a data subject.

Think W3 Limited

Breach details

What A malicious hacker was able to access significant amounts of customer data, including credit card details, after targeting Think W3 Limited’s website.
How much 1,163,996 records containing credit or debit card details, of which 430,599 were current.
When 21 December 2012.
Why A system intended for internal purposes was installed on the same web-sever as the businesses e-commerce application containing customer data. In order to facilitate working from home this service could be accessed via a login page on a non-customer facing website which was publicly available over the internet. The login page was not secure due to a coding error that was missed, as no security testing had been done the basis that this page was not public facing. The hacker was able to exploit this vulnerability and gain administrative access to all the data on the web server.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000
When 23 July 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: Think W3 limited failed to take appropriate technical measures to ensue the security of personal data, predominately though failing to undertake suitable security testing, due to a failure to understand the extent to which the web server could be accessed via the internet, or to meet PCI DSS compliance requirements.
Known or should have known  By 2011 Think W3 Limited were aware of a number of issues with its PCI  DSS compliance, causing them to review their security practises. However they were slow in implementing improvements, despite being aware of the risk of contravention.
Likely to cause damage or distress Although CCV2 / CvC2 values were not obtained, the data obtained was clearly of interest to the attacker, due to the targeted nature of the attack, and could be used for fraudulent purposes. The data subjects would rightly be distressed to learn that their data had been accessed by a malicious third party.