The Chartered Insurance Institute (CII) revealed its IT system has been impacted by a “security incident”.
On 27 October 2022, the trade body said it recently identified that its IT systems had been accessed by an “unauthorised third party”.
To counter the cyberattack, the CII secured its IT system, appointed external experts to investigate the incident and any impact on members’ personal data. The incident was also reported to the Information Commissioner’s Office (ICO).
The institute revealed that a “limited amount of personal data” relating to around 20% of its customers was accessed. The information included names, addresses and/or email addresses, telephone numbers and dates of birth.
No financial information was accessed, however.
Allan Vallance, chief executive of the CII, said: “We have contacted all those who were impacted by this incident. If you haven’t heard from us, you were not affected. Given that this information was already likely to be in the public domain, the advice we have received is that there is very low risk to members and customers affected. However, we have informed them in the spirit of openness and transparency.
“We are sorry that this incident happened. We are committed to maintaining the security of the data that we hold and we have undertaken a detailed review of our security systems and testing protocols and made improvements.”
The Personal Finance Society (PFS) was informed by the CII as the data breached affected some of its members as well.
The PFS said: “We of course take any incident of this nature very seriously and are engaged with the CII on how they are strengthening their cyber defences as an urgent priority. Although we are advised that only a limited amount of personal data was accessed, we would always advise PFS members to be especially vigilant when it comes to their cyber security.
“The PFS leadership advises all members to continue to be cautious in responding to unsolicited emails and closely monitor for any suspicious or unusual activity.”