Travel insurer Staysure warns customers over IT hack

Image caption Some 93 000 Staysure travel insurance customers may be affected by a data breach

The travel insurer Staysure has warned customers that some of their sensitive bank card details may have been stolen after its IT security was breached.

Some 93,000 people who bought policies prior to May 2012 may be at risk, it said.

Staysure said it believed hackers may have stolen the three digit Card Verification Value (CVV) numbers of some policy holders.

It has apologised to customers, urging them to check their accounts.

'Used fraudulently'

In a letter written to customers, the company said it had become aware of the breach on 14 November.

It said: "While the payment card number you provided was encrypted, some of the other personal data that you provided to us, including the 3 digit CVV number on the back of the card, may have been accessed.

"Although you will understand that this cannot be used without the payment card number, there is still a risk that by using our records combined with data obtained from elsewhere, it may be possible for your card to be used fraudulently."

One customer, Francine Collison from London, told the BBC she had received a letter on 19 December from Staysure warning her of the breach, which it said it believed had happened at the end of October.

Ms Collison said she was angry about the way her details had been kept.

"[The firm's explanation] suggests that the CVV number had been stored and had not been encrypted. That's a security code and I'm astonished that they kept it and in an unencrypted form."

She added: "I can't understand why I wasn't informed earlier. They'd [Staysure] clearly been in contact with the Financial Conduct Authority, the Information Commissioner and the police, and it seems to me as a victim I was the last person to find out about it."

Meanwhile, a spokesperson for Financial Fraud Action UK, representing the bank card industry, said: "The holding and storage of the three-digit Card Verification Code data (also known as the Card Security Code) by merchants and payment intermediaries is expressly prohibited under card schemes rules."

Ryan Howsam, chief executive of Staysure, apologised to customers and said those affected were being offered a free subscription to a credit agency data monitoring service.

He said: "We did act as fast as we could. We locked down our systems. We deleted all of the card data from our live systems and brought in forensic IT specialists."

Mr Howsam also insisted customers' CVV numbers were no longer kept by the firm.

"These were legacy systems. We initially stored [them] to help customers with their renewal process."

The Information Commissioner's Office (ICO) said it was making enquiries into the incident.

It said the law did not require firms to notify customers following a breach.

Sir Alan Beith, MP for Berwick on Tweed and chair of the House of Commons Justice Select Committee which monitors the ICO, said companies needed to react quickly to let people know when security breaches took place.

"I think customers are entitled to be informed as soon as a company knows and that should be much clearer. This raises questions which I'd like to pursue with the Information Commissioner."

Money Box is broadcast on Saturdays at 12:00 BST on BBC Radio 4 and repeated on Sundays at 21:00 BST. You can listen again via the BBC iPlayer or by downloading Money Box podcast.

Have you been affected by the Staysure security breach? Let us know your views

Your contact details

If you are happy to be contacted by a BBC journalist please leave a telephone number that we can contact you on. In some cases a selection of your comments will be published, displaying your name as you provide it and location, unless you state otherwise. Your contact details will never be published. When sending us pictures, video or eyewitness accounts at no time should you endanger yourself or others, take any unnecessary risks or infringe any laws. Please ensure you have read the terms and conditions.

Terms and conditions

The BBC's Privacy Policy

Around the BBC

Related Internet links

The BBC is not responsible for the content of external Internet sites