Data breach hits major South African insurance player

QSure, a big player in South Africa’s insurance industry, has been hit by a data breach in which bank account numbers and other sensitive information were compromised by a third party.

The company would not said how many records were exposed through the breach, only that the incident is “still being investigated”.

“On 9 June 2021, QSure became aware that it had been subject to illegal and unauthorised access to its IT infrastructure, and immediately isolated its IT network and shut down its systems,” said chief operating officer Ian du Toit in e-mailed response to questions from TechCentral.

QSure is a registered financial services provider and one of the collection agencies that provides collection and premium handling services for the South Africa insurance industry. Its clients include big insurance companies and insurance brokers.

“QSure immediately appointed three industry-leading and independent cyber-forensic and security technology firms to conduct a detailed forensic investigation into the cybersecurity incident,” Du Toit said. “QSure takes the safety and security of its clients’ data extremely seriously. The company has notified insurers and brokers with whom it does business, as well as the relevant regulatory authorities, and continues to provide support in this regard.”

‘Exfiltrated’

Preliminary investigations show that the compromised data had been “exfiltrated” from the company’s servers. “The data relates only to policyholders who are clients of QSure’s customers (insurers and brokers) and includes banking details, limited to the account holder name, bank account numbers and bank branch codes. No policyholder identity numbers, credit card details, any form of contact details, or policy content are kept on QSure’s database and therefore could not be compromised,” Du Toit said.

“All brokers have been briefed and have, in turn, notified or are in the process of notifying their policyholders.”
He said QSure’s IT platform has been “completely rebuilt” and “all necessary steps have been taken to ensure the environment is secure”.

“It was built and configured under the guidance of forensic security and technology consultants, appointed specifically to assist with managing the incident.”

QSure did not answer questions about whether it knows who was responsible for the breach or how they were able to compromise the company’s systems.

TechCentral first became aware of the breach when insurance firm Hollard sent an e-mail to affected customers notifying them about the breach.

“On Thursday, 17 June, Hollard received confirmation of a data breach at QSure, an administration company that facilitates the collection of debit orders for many of South Africa’s major insurers, including Hollard. The breach potentially affects all insurance customers whose debit orders are processed, or have been processed in the past, by QSure,” Hollard said.

“QSure have assured us that they reacted quickly to unusual activity on their servers on 9 June and took down all external connections as quickly as possible before restoring operations in a totally secured environment. They also immediately commissioned an independent investigation, and cybersecurity experts engaged by QSure confirmed on 17 June that that the activity had resulted in a breach, which included the unauthorised movement or copying of customer data to an external environment.”

Hollard said the breach has been reported to the “relevant authorities”.

Risk of fraud

“We need to advise you that there is a possibility that information stored on the QSure database now sits in unauthorised hands,” Hollard said its communication with customers.

“This information consists of account holder name, bank account number and branch details, and there is an increased risk of fraud and other identity crimes associated with this information being in the hands of cybercriminals. No identity numbers or other data, often used in conjunction with banking details to perpetrate fraud, was compromised.”

Hollard advised its clients, among other things, to be cautious of phone calls, e-mails or SMSes that ask for their personal information, and not to disclose this information, especially Pins and passwords.

“If you suspect that you have been contacted by a fraudster, notify your bank or appropriate service provider. Examine your bank records and accounts more closely and report and request the reversal of any suspicious or fraudulent transactions. And change your passwords regularly and try use different passwords for all of your accounts.”

Hollard also advised clients to visit haveibeenpwned.com, which allows them to check whether their personal data has been compromised through security incidents such as data breaches.  — © 2021 NewsCentral Media