The Chartered Institute for Securities and Investments (CISI) has said it is taking measures to help members who were left vulnerable to financial fraud after its payments system was hacked.
The professional body confirmed on 24 April 2020 that some of its members may have had their financial information stolen after “malicious code” was inserted onto its website.
It was made aware this had happened after members said they noticed fraudulent activity on their credit/debit cards after making a payment on the CISI website.
Compensation
Simon Culhane, chief executive of the CISI, said in a statement: “I realise that, although over 85% of the people we contacted are unlikely to have seen fraudulent activity on their card, it is nevertheless a worry if people are concerned that some of their personal data has been compromised.
“So, we have taken great care to look after those directly affected, including measures to reduce the future risk to their personal identity and credit history. It is important to us that no one incurs any financial loss because of this incident.”
The CISI said they will be:
- Offering to reimburse any immediate expenses incurred in relation to the notification of the theft relating to replacing payment cards;
- Considering compensating their financial loss, if members have not been able to come to an arrangement with the card issuer; and
- Arranging with credit and ID monitoring agency Experian for those who were affected or who were contacted by the CISI, and are based in the UK, or in countries that Experian covers, to have the option of a complementary year’s subscription to its service.
Events
In February 2020, an unknown third party “successfully exploited a vulnerability in part of the commercial software we use to manage our website”, Culhane said.
The cyber attackers installed a malicious code inside the software itself which, when triggered by an individual making a payment using a credit or debit card, “sent information back to the intruder’s server in Russia”.
This affected people making online payments on the CISI’s website until 16 April 2020, which is when it became aware of the cyber-attack and took action.
The data taken included payment card details, expiry date and CVV number, along with first name, last name, home address, postcode, and the primary telephone number and email address which was entered on the payment screen.
No passwords were taken.
Culhane added: “We understand that data was taken from just over 5,000 people with fraudulent activity likely to have been attempted on around 700 cards.
“Payments taken by telephone during this period were unaffected by this incident. All of our qualifications and exams are on a separate system and are completely unaffected.”
Preventing future attacks
The professional body also spoke about the steps it is taking to reduce the likelihood of a cyber-attack happening again.
“We treat everyone’s data with great care and are very disappointed that it was stolen whilst it was with us,” Culhane added.
“In order to reduce the likelihood of a repeat attack, we have implemented the recommendations of our cyber specialists to remove the malicious code from our webserver, installed additional security measures on the impacted webserver and will replace that webserver with a newly built alternative.
“We are confident that we have remedied the vulnerability which caused this attack and we have improved our overall web security.”