The Chartered Institute for Securities and Investments (CISI) has confirmed that some of its members may have had their financial information stolen after “malicious code” was inserted on its website.
It comes after the professional body was made aware that members were noticing fraudulent activity on their credit/debit cards after a payment transaction on its website.
The CISI launched an investigation with help from its insurers and advisory group KPMG, and suspended all online transactions.
They found that a “third-party” gained unauthorised access to the CISI’s website through a “third-party application” and inserted a “malicious code”, which then captured information from its members at the end of its online checkout process.
The body said that it is “yet to identify the date the modifications were deployed”, but it believes “it is likely to have been in mid-February 2020”.
Apologetic
The CISI said in a statement: “We understand how distressing this news can be, and we apologise profusely to all our customers who are affected.
“We have now contacted 5,785 customers that processed a payment transaction through our website during the period between 1 February 2020 and 15 April 2020.
“Not all of these will have seen fraudulent activity, we anticipate this number to be closer to 1,000 affected.
“We are doing everything we can to investigate how this happened and we are actively working on solutions to ensure all future online transactions are safe.
“No other CISI member data has been compromised, but if members wanted to reset their MyCISI passwords – they can do this in their online portal.”
What can people do?
The CISI has suggested members take the following steps:
- If you are able to – freeze the card used on its site;
- Check online or paper statements for that card for any fraudulent activity; and
- Contact your bank or lender directly to inform them that your card may have been compromised and take their advice on any further actions.
The professional body said it has reported the incident to Action Fraud UK, the Information Commissioner’s Office (ICO), the National Cyber Security Centre and the Charity Commission.
There have been further developments to this story including the measures that the CISI’s is taking to help victims of the fraud.