In an email to affected customers on Thursday, the firm’s data protection officer Eric Lelyon advised that the breach hit users of its health portal, including past customers, reports business technology new website Zdnet.
Lelyon said the breach “exposed” the customer’s email address, date of birth and mobile phone number.
The mobile number was used to transmit one-time passwords (OTPs) when users transacted on the portal.
No other personal information, such as credit card details, identification numbers, health statuses and next-of-kin information, was compromised, he wrote.
He said customers would not need to take any specific action, since the breach was “not likely to, on its own, expose you to identity theft”.
Customers were urged, however, to be aware of potential phishing attempts aimed at extracting additional personal information.
“In the unlikely event you feel that you may have inadvertently disclosed personal data as a result of a phishing attempt in the last few months, it is possible this could be connected to this hacking incident, and if so, we urge you to file a police report,” he said.
Axa Insurance has reported to incident to the police and has “taken all remedial action” to safeguard its health portal and prevent it happening again, Lelyon said.