Lessons from Staysure's security breach
Over the weekend, BBC Radio 4’s MoneyBox programme reported on travel insurer Staysure’s recent IT security breach, with some 93,000 customers potentially at risk. In a letter sent out to customers in December, the insurer said it had become aware of the breach on 14 November and that although customers’ payment card numbers had been encrypted, other personal details including CVV numbers had not and could therefore have been stolen.
Holding unencrypted CVV codes is, as a spokesperson for Financial Fraud Action UK points out, “prohibited under card schemes rules”. Unfortunately, many companies still handle payment data in this way, though Staysure says that it has now implemented technology to address this.
But what is of greater concern is the fact that customers were not informed sooner. One such individual Francine Collison said, “They’d [Staysure] clearly been in contact with the Financial Conduct Authority, the Information Commissioner and the police, and it seems to me as a victim I was the last person to find out about it.” Unfortunately as it currently stands, the law does not require firms to notify customers following a breach so delays in informing customers are a widespread issue.
It is time to remember the voice of the consumer. Each of us has the right to expect our personal data to be treated with respect. Cases like this highlight the importance of the proposed changes to the EU data regulations, which will mean that organisations will be required to inform affected individuals and authorities within 24 hours of a data breach.
Many organisations are alarmed by this proposition, fearing the reputational damage that may ensue and although this feeling is understandable, things undoubtedly need to change. Individuals should not be left uninformed about cases of fraud involving their own data, as is sadly, too often the case. Customer service is key for any merchant and with competition between brands now more fierce than ever before it is essential that the customer is put first in every respect.
If we feel that our details, financial or otherwise, are not safe in the hands of a business, we will walk away and trust is an essential factor in a thriving economy. In order to prevent reputational damage and the loss of valuable customers, merchants must ensure payment systems are safe.
When the Payment Card Industry Data Security Standard (PCI DSS) came into existence in 2004, there was a similar outcry against it, but since its inception, fraud levels have dropped. Now, new technologies making it possible for card data to by-pass company infrastructure completely meaning that secure systems are easy to implement. Perhaps the greatest benefit of this is that damaging instances of fraud can be entirely avoided. As well as evading a painful media storm, a totally secure payments service could also prove to be the unique selling point that will put a company ahead of its competitors.
For any company handling payments, protecting consumer data should be of paramount importance and when things go wrong, the customer should be first to know. No one should be under any illusions that Staysure’s is an isolated case – companies across the board still fail to take the security of their customer data as a priority. As well as being about business sense and good customer service, this is about treating individuals with a level of respect which we all deserve. The industry needs to change and stronger regulation is needed to make this happen – this is why it is time that we embrace the changes to the EU data protection regulations.