It seems there will be some red faces at travel insurer Staysure after their legacy systems were hacked and customer card payment details extracted.
Reports suggest that the data taken is not directly useful as the hack only obtained the card security code, rather than the card number also. Why the CVV was stored hasn’t been explained as yet and I am sure the Data Commissioner will be wanting that question answered. The card payment rules prohibit that information from being retained. Further, to store it in an unencrypted manner opens significant risk.
I am sure that there will be an in-depth investigation of all security policies and the necessary changes implemented. The FCA may yet impose fines once the scale of the security breach is exposed.
Hopefully, no customers have had their accounts used fraudulently.