Hackers breach customer banking data stored at British travel insurer

About 93,000 people who bought policies from Staysure before May 2012 may be at risk.

The company says attackers may have stolen the three-digit Card Verification Value numbers of some policy holders.

Staysure learned of the breach on 11/14/2013. One customer, Francine Collison, told the BBC she had received a letter on 12/19/13 from Staysure warning her of the incident, which the company said it believed had happened at the end of October.

It is unclear whether Staysure has violated payment card security policies.

A spokesperson for Financial Fraud Action UK, representing the bank card industry, said: "The holding and storage of the three-digit Card Verification Code data (also known as the Card Security Code) by merchants and payment intermediaries is expressly prohibited under card schemes rules."

Ryan Howsam, chief executive of Staysure, said customers' CVV numbers is no longer kept by the firm.

"These were legacy systems. We initially stored [them] to help customers with their renewal process,” he said.

In a letter written to customers, the company said, "While the payment card number you provided was encrypted, some of the other personal data that you provided to us, including the 3 digit CVV number on the back of the card, may have been accessed.

"Although you will understand that this cannot be used without the payment card number, there is still a risk that by using our records combined with data obtained from elsewhere, it may be possible for your card to be used fraudulently."

Collison criticized the way her data had been handled.

"[The firm's explanation] suggests that the CVV number had been stored and had not been encrypted. That's a security code and I'm astonished that they kept it and in an unencrypted form,” she said.

Collison added: "I can't understand why I wasn't informed earlier. They'd [Staysure] clearly been in contact with the Financial Conduct Authority, the Information Commissioner and the police, and it seems to me as a victim I was the last person to find out about it."

Customer names and addresses may also have been taken, IT Pro reports. A spokesperson for the company told the publication: “As soon as we became aware of the problem on November 14, we immediately removed the software and systems that the attackers exploited, and we are confident that we have taken the right steps to protect our customers in the future.”

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.