Travel insurer Staysure warns customers over IT hack
The travel insurer Staysure has warned customers that some of their sensitive bank card details may have been stolen after its IT security was breached.
Some 93,000 people who bought policies prior to May 2012 may be at risk, it said.
Staysure said it believed hackers may have stolen the three digit Card Verification Value (CVV) numbers of some policy holders.
It has apologised to customers, urging them to check their accounts.
In a letter written to customers, the company said it had become aware of the breach on 14 November.
It said: "While the payment card number you provided was encrypted, some of the other personal data that you provided to us, including the 3 digit CVV number on the back of the card, may have been accessed.
"Although you will understand that this cannot be used without the payment card number, there is still a risk that by using our records combined with data obtained from elsewhere, it may be possible for your card to be used fraudulently."
One customer, Francine Collison from London, told the BBC she had received a letter on 19 December from Staysure warning her of the breach, which it said it believed had happened at the end of October.
Ms Collison said she was angry about the way her details had been kept.
"[The firm's explanation] suggests that the CVV number had been stored and had not been encrypted. That's a security code and I'm astonished that they kept it and in an unencrypted form."
She added: "I can't understand why I wasn't informed earlier. They'd [Staysure] clearly been in contact with the Financial Conduct Authority, the Information Commissioner and the police, and it seems to me as a victim I was the last person to find out about it."
Meanwhile, a spokesperson for Financial Fraud Action UK, representing the bank card industry, said: "The holding and storage of the three-digit Card Verification Code data (also known as the Card Security Code) by merchants and payment intermediaries is expressly prohibited under card schemes rules."
Ryan Howsam, chief executive of Staysure, apologised to customers and said those affected were being offered a free subscription to a credit agency data monitoring service.
He said: "We did act as fast as we could. We locked down our systems. We deleted all of the card data from our live systems and brought in forensic IT specialists."
Mr Howsam also insisted customers' CVV numbers were no longer kept by the firm.
"These were legacy systems. We initially stored [them] to help customers with their renewal process."
The Information Commissioner's Office (ICO) said it was making enquiries into the incident.
It said the law did not require firms to notify customers following a breach.
Sir Alan Beith, MP for Berwick on Tweed and chair of the House of Commons Justice Select Committee which monitors the ICO, said companies needed to react quickly to let people know when security breaches took place.
"I think customers are entitled to be informed as soon as a company knows and that should be much clearer. This raises questions which I'd like to pursue with the Information Commissioner."