Travel insurance provider to the over-50s Staysure has admitted customers may have had their financial information stolen during an October 2013 cyber attack.
The company has warned the encrypted payment card details of 93,000 customers who purchased insurance before May 2012 may have been stolen, along with unencrypted CVV details (the three digit security code on the back of cards). Customer names and addresses may also have been taken, it admitted.
A spokesperson for the company told IT Pro: "As soon as we became aware of the problem on November 14, we immediately removed the software and systems that the attackers exploited, and we are confident that we have taken the right steps to protect our customers in the future.
"We informed the relevant card issuing bodies straight away and subsequently The Financial Conduct Authority (FCA), the Information Commissioner's Office (ICO) and the police."
Independent consultants had also been brought in to work out what went wrong and how far-reaching the hack was, the spokesperson added.
Staysure's CEO has also issued a statement via the organisation's website, saying the firm is "deeply sorry and [is] working diligently to make sure that inconvenience to customers is minimised."
He also sought to reassure other customers, stating that if they have not been written to, they have not been affected.
However, the company's handling of the situation has been criticised on two fronts. Firstly, it took a month for the affected customers to be notified and the stored CVV information should never have been retained.
One customer told the BBC she was "astonished they kept [the CVV code] in an unencrypted form".
"I can't understand why I wasn't informed earlier. [Staysure] had clearly been in contact with the Financial Conduct Authority, the Information Commissioner and the police and it seems to me as a victim I was the last person to find out about it," the customer explained.
Staysure's spokesperson said, based on the advice it received, the company waited until it had identified the affected customers to prevent the spread of unnecessary worry. He added the company no longer retains any of its customers' financial information.
An ICO spokesperson confirmed it was investigating the hack.
"We have recently been made aware of a possible data breach which may involve Staysure. We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken," the spokesperson said.
