Tancred: The PMI’s membership database was not impacted by the attack
The Pensions Management Institute (PMI) has reported itself to the Information Commissioner’s Office following a cyber-attack which resulted in hackers gaining access to the names and email addresses of around 1,700 people.
The brute-force attack – which took place earlier this month – resulted in a breach of data which saw the hacker gain access to names and email addresses contained within an email inbox of one of the PMI’s members of staff.
Individuals affected by the breach were then sent an email, purportedly from the PMI, which asked them to click on a link which led to an unknown third-party website.
The PMI said its membership database was not affected by the attack.
PMI chief executive Gareth Tancred explained: “Last week one of our staff had their Outlook email account targeted and hacked.
“The perpetrator used a VPN through a Manchester data centre to gain access to the individual’s email inbox. Once inside, they were able to see a number of member and other stakeholder email addresses. It is not known at this stage where the attack originated from in the world, but our IT experts are working in close collaboration with Microsoft to investigate.”
The PMI said as soon as it became aware of the incident, it initiated its internal protocols in respect of data breach management – engaging the support of the Information Commissioner’s Office, IT specialists and its legal advisers.
He explained: “As soon as this sophisticated attack was discovered, the staff member’s email account was shut down. Our IT company immediately began a full and thorough investigation and they assure us that our iMIS member database has not been compromised, nor any financial systems, nor have any of our other IT infrastructure assets due to our own VPN being in place. They have also checked all staff laptops and have confirmed them to be clean with all security measures up to date.”
The PMI said its investigations indicate that just under 1,700 people had their details compromised and said it was in the process of contacting all those affected.
Tancred added: “I would likely to publicly apologise for any inconvenience that may have been caused by this attack and offer our reassurance that we are taking all appropriate steps to ensure that this never happens again.”
The PMI said it would inform individuals should the results of its investigation suggest further impact on the processing of their personal data and urged anyone that received the email to delete it immediately.
Tancred said: “If you have not already done so, please delete the email. As an additional precaution, and in line with our incident response protocol, we request all users of MYPMI update their passwords as soon as possible.”
The PMI said anyone with queries about the above should contact it at: [email protected]