Last October, criminals targeted servers maintained by Staysure (an insurance provider in the U.K.) and compromised the personal information and payment card data for 93,389 customers. The breach was detected in November, but notifications didn't start going out until late December. According to the company's statement, the attackers exploited software hosted on the server in order to gain access.
The data exposed during the incident included names and addresses, as well as payment card details, including CVV numbers. In all, Staysure says the breach impacted 7-percent of their customer base.
The card numbers themselves are reported to have been encrypted, but it looks as if the CVV code and the other customer data was not. According to the company, CVV data is no longer stored on their servers, and Staysure says that the practice was halted in May of 2012.
Many experts have expressed concern that CVV details were being stored at all, let alone being stored in unencrypted form. A spokesperson for Financial Fraud Action U.K. noted in a statement that storing or holding such data is "expressly prohibited under card scheme rules."
"We became aware of the problem on November 14, and quickly informed the relevant card issuing bodies and subsequently The Financial Conduct Authority, the Information Commissioner’s Office and the Police. We immediately hired independent forensic data experts to fully ascertain the extent of the problem and have written to 93,389 affected customers, which represents fewer than 7% of our customer base, to warn them and to ask them to check that they have not been the victims of any fraud as a result."
Those who had their data exposed are eligible for identity monitoring services from Data Patrol. However, Staysure says that only customers who have received a letter in the mail about the data breach are impacted by it.
Customers with questions can call 0800 007 4540 or 01604 214 575 for additional information.