Update on a recent IT security incident

We recently identified that the CII’s IT systems had been accessed by an unauthorised third party. We immediately took steps to secure our systems and appointed external IT experts to investigate the incident and identify any impact on our members’ and customers’ personal data. We also reported the incident to the ICO.

I regret to say that the investigation has concluded that a limited amount of personal data relating to a small proportion (around 20%) of our customer records was accessed. The data impacted for the affected individuals was their name (or names of firms), address and/or email address, telephone number(s) and date of birth. No financial information was accessed.

We have contacted all those who were impacted by this incident. If you haven’t heard from us, you were not affected.

Given that this information was already likely to be in the public domain, the advice we have received is that there is very low risk to members and customers affected. However, we have informed them in the spirit of openness and transparency.

As you know, it is always good practice to be vigilant, especially if you receive unsolicited phone calls or emails containing links. The National Cyber Security Centre and Action Fraud both have lots of useful help and advice on how to protect yourself and your business. We have also published some Q&As below that you may find useful.

We are sorry that this incident happened. We are committed to maintaining the security of the data that we hold and we have undertaken a detailed review of our security systems and testing protocols and made improvements.

Alan Vallance, CEO

Q&A

How many people were impacted?

Around 20% of our live customer records were impacted and we’ve contacted all affected individuals. If you haven’t received an email from us then you were not affected.

When did you find out about the incident?

We were alerted to the incident on 30th September. We took immediate steps to secure our systems and appointed external IT experts to investigate the incident and identify any impact on our members’ and customers’ personal data.

Have you informed the ICO?

Yes, we have kept the ICO updated.

What do customers need to do?

Our affected members and customers do not need to take any specific further action, just remain vigilant for suspicious activity.

Why didn’t you make me aware of this before?

As soon as we became aware of the incident we took steps to secure our systems and appointed external IT experts to investigate and identify any impact on our members’ and customers’ personal data. These forensic investigations are complex and time consuming but now that process is complete we are able to communicate with our members and customers.

What additional security measures are you putting in place?

We are committed to maintaining the security of the data that we hold, recognising the need to continually review and improve our approaches. We have undertaken a detailed review of our security systems and testing protocols in light of this incident and made improvements. We are fully committed to do all that we can to maintain the security of the data that we hold for our members and customers.