An attack on debit order collection company Qsure has impacted several South African insurers who use its services, including Hollard and Guardrisk.
Australian security researcher Troy Hunt recently posted a notice from Ooba to its clients saying that although they do not yet know if any Guardrisk and Ooba clients were affected, they decided to send out cautionary notifications.
Qsure informed Guardrisk on 20 June that it had suffered a “data incident” and that an unauthorised third party accessed policyholder information.
Hollard spokesperson Warwick Bloom told MyBroadband that they received a notice from Qsure on 17 June confirming a data breach.
The breach affected short-term insurance customers whose debit orders are processed via brokers who use or have used the Qsure service, dating back to 2014.
Bloom said that Qsure advised them that the information stored on the compromised database consisted of account holder names, bank account numbers, and branch details.
“We have taken steps to ensure that policyholders whose information has potentially been misappropriated have been alerted to the increased risk associated with this information being in third party hands,” said Bloom.
“No identity numbers or other data, often used in conjunction with banking details to perpetrate fraud, were compromised.
Bloom said that they had notified the offices of the information regulator and the appropriate insurance regulator.
“We have been reassured by the communication from Qsure regarding their response to this incident, in particular around the identification and resolution of the potential underlying security issues behind the breach, and continue to work with them to minimise the possibility of any repeat occurrence,” stated Bloom.
“As such, we remain supportive of Qsure as a premium administrator.”
Data breach at ooba in South Africa. Kinda. Maybe. It’s not entirely clear. pic.twitter.com/ob7E1iaJfV
— Troy Hunt (@troyhunt) July 11, 2021
Bloom said that they had offered policyholders the following advice to minimise the risk of fraudulent misuse of their data:
- Check your credit report for free by using Experian’s My Credit Check service.
- Be cautious of phone calls, emails or SMS messages that ask for your personal information — and do not disclose this information, especially PINs and passwords.
- If you suspect that a fraudster has contacted you, notify your bank or appropriate service provider.
- Examine your bank records and accounts more closely, and report and request the reversal of any suspicious or fraudulent transactions.
- Change your passwords regularly and try to use different passwords for all of your accounts. You can use a password manager like Bitwarden to help you remember all your different passwords.
- Check the “Have I Been Pwned?” website (the site operated by Troy Hunt) — this lets you check whether your personal data has been compromised by data breaches using your username or email address.
Bloom said that Hollard has set up a dedicated email address for policyholders to ask questions about the breach.
MyBroadband asked Qsure whether it has made any headway in its investigation into the attack on its systems, and the company responded with a statement they issued in June.
“On 9 June 2021, Qsure became aware that it had been subject to illegal and unauthorised access to its IT Infrastructure, and immediately isolated its IT network and shut down its systems,” Qsure COO Ian du Toit said in the statement.
“Qsure immediately appointed an industry-leading and independent cyber-forensic and security technology firm to conduct a detailed forensic investigation into the cybersecurity incident, as well as additional independent security experts to assist in managing the incident.”
Du Toit said that the company notified insurers and brokers with which it does business and the relevant regulatory authorities.
According to Du Toit, all brokers using the collection services of Qsure have been briefed and have proactively notified their policyholders.
“Qsure’s IT platform has been completely rebuilt, and all necessary steps have been taken to ensure the environment is secure,” Du Toit stated.
“It was built and configured under the guidance of forensic security and technology consultants, appointed specifically to assist with managing the incident.”
MyBroadband also contacted the Information Regulator regarding the attack on Qsure and the resultant data breach.
The regulator acknowledged the enquiry and said it would respond in due course.