In a press release on 28 October 2022, the Chartered Insurance Institute (CII) disclosed that the CII’s IT systems had been accessed by an “unauthorised third party.” The CII believes that around 20% of its customer records were accessed, including names, addresses, email addresses, telephone numbers and dates of birth.
The information taken is deemed likely to exist in the public domain. Therefore the incident has been categorised by the CII as “very low risk to members and customers.” The CII states that no financial information was accessed.
The CII was made aware of the security breach on 30 September 2022. According to Insurance Times, Lloyd’s of London detected “unusual activity” on its network on 05 October 2022, preceding the public disclosure and apology from the CII on 28 October.
In a blog on its website, the CII explains it “immediately took steps to secure our systems” and appointed external experts to investigate the incident and identify the impact. The incident was reported to the ICO. The CII contacted the 20% of customers and members whose records were impacted.
The CII informed the Personal Finance Society (PFS) as the data breach also affected some of its members.
The PFS said: “We of course take any incident of this nature very seriously and are engaged with the CII on how they are strengthening their cyber defences as an urgent priority.”
Moving forward, the CII has restated its commitment to maintaining the security of the data and has undertaken a detailed review of its security systems and testing protocols.
“We of course take any incident of this nature very seriously and are engaged with the CII on how they are strengthening their cyber defences as an urgent priority”
Alan Vallance, CEO of CII, issued an apology as part of the disclosure blog. He wrote: “We are sorry that this incident happened. We are committed to maintaining the security of the data that we hold and we have undertaken a detailed review of our security systems and testing protocols and made improvements.”
Whilst (reassuringly) no financial data was taken, CII members and customers should be extra cautious, remaining particularly vigilant about targeted phishing emails or unsolicited communications. This advice is no different from that we’d give to anyone – although fresh off the back of a security incident, it’s particularly relevant.
It’s always disappointing to see a lag between incident detection and public announcement, but the forensic investigation was likely complex and thus time-consuming. The public apology and explanation were undoubtedly appreciated by members, despite coming a month after detection. In incident response, there’s much to be said for accumulating all the facts before disclosure.
Preparation is fundamental to incident response. Check out our 24 hours in cyber incident response article for more on this.