“We are deeply sorry that this occurred.”
This is what Alan Vallance, CEO of the Chartered Insurance Institute (CII), said after the professional organization disclosed a cybersecurity incident affecting the CII’s systems.
Vallance stated in a statement, “We recently discovered that an unauthorized third party had gained access to the CII’s IT (information technology) systems.
“We immediately took steps to secure our systems and hired outside IT experts to investigate what happened and determine whether it had any impact on our members’ and customers’ personal information. We also informed the ICO (Information Commissioner’s Office) of the incident.
The incident was reported to the professional group on September 30. It issued a press release about the breach after the forensic investigation was completed.
“I’m sorry to inform you that the investigation discovered that a small amount of personal information from approximately 20% of our customer records was accessed,” Vallance said.
“Among the information exposed were the affected people’s names (or the names of their businesses), addresses and/or email addresses, phone number(s), and dates of birth. Financial information was not available.”
In addition, he stated, “We’ve spoken with everyone who has been affected by this. If we did not contact you, you were not affected.”
The CII explained what happened by stating that a routine update patch was not initially installed correctly on its systems. People affected by the breach are said to be at “very low risk” because the information accessed was most likely already public.
“However,” the CEO stated, “in the spirit of being open and honest, we have told [members and customers].”
“We are committed to keeping the data we have safe,” Vallance added, “and we have gone through a thorough review of our security systems and testing protocols and made improvements.”