“We are sorry that this incident happened.”
In a statement, Vallance disclosed: “We recently identified that the CII’s IT (information technology) systems had been accessed by an unauthorised third party.
“We immediately took steps to secure our systems and appointed external IT experts to investigate the incident and identify any impact on our members’ and customers’ personal data. We also reported the incident to the ICO (Information Commissioner's Office).”
According to the professional body, it was alerted to the incident on September 30. It issued a release about the breach following the completion of the forensic probe.
“I regret to say that the investigation has concluded that a limited amount of personal data relating to a small proportion (around 20%) of our customer records was accessed,” revealed Vallance.
“The data impacted for the affected individuals was their name (or names of firms), address and/or email address, telephone number(s), and date of birth. No financial information was accessed.”
He added: “We have contacted all those who were impacted by this incident. If you haven’t heard from us, you were not affected.”
Announcing what happened, the CII said a routine update patch was not initially applied correctly to its systems. As for the extent of the breach, there is said to be “very low risk” to those affected, as the accessed information was already likely to be in the public domain.
“However,” declared the CEO, “we have informed [members and customers] in the spirit of openness and transparency.”
Vallance also offered the following assurances: “We are committed to maintaining the security of the data that we hold, and we have undertaken a detailed review of our security systems and testing protocols and made improvements.”
