A computer hacker has accessed a staff member’s email account at Financial Services Complaints, says the company.
A statement from the dispute resolution service says it became aware that a “…malicious third party gained access” to a case manager’s work email account.
The hacker used the account to send ‘spoof’ emails to some of the company’s clients asking them to click a bogus link to review their complaint.
Susan Taylor, CEO of the company, says the emails were designed to look like official emails, but were not sent from the staff member’s company email address.
“We know that the third party accessed emails between the case manager and three consumers,” says Taylor.
“Based on the way the third party used these emails, we suspect that they only accessed a few chains of emails regarding recent complaints, and did not access any attachments.”
The company’s external IT provider says the problem appears to be limited to one staff member’s account, and there is no evidence the company’s security systems were breached.
…the problem appears to be limited to one staff member’s account…
Taylor says: “While we cannot be certain, it is most likely that the third party has either been able to guess the staff member’s password, or the staff member has used the same password on another account which has been hacked.
“We have taken steps to ensure there is no ongoing [third-party] access to our systems and have increased our IT security measures to ensure this does not happen again.”
The company has introduced additional authentication measures for its computer system and is increasing staff training around preventing phishing and best practice in data security.
Financial Service Complaints reported the incident to CERT NZ, the police, and the Privacy Commissioner. It has also contacted all potentially affected consumers and scheme participants.
Among the company’s members include insurance companies, mortgage brokers, insurance brokers, financial advisers, trustees, and fund managers.
Taylor says this week’s announcement by the FMA about cyber-security “was purely coincidental”.