iA falls victim to cyber breachBy Andrea Lubeck | September 12 2019 01:30PM
It’s now iA Financial Group's turn to be hit by a cyber breach. Three representatives from the insurer's Quebec distribution network were victims of a phishing scheme. Unlike the incident at Desjardins Group, the intrusions came from outside the organization. In all, 2,864 of the insurer’s clients were affected.
The client information that may have been accessed includes: names, products purchased from iA and for some customers, date of birth, or bank details as well. In 129 cases, social insurance numbers were among the mix.
“At this time, there is no indication that our clients’ information was used for malicious purposes or sold to third parties,” Pierre Picard, spokesperson for iA Financial Group told Insurance Journal.
Three separate incidents
The insurer stated that the events occurred on June 20, July 8 and July 11. “They are separate incidents and are not related. With each incident, a person outside the organization succeeded in taking control of these advisors’ email account, giving him or her access to all the advisors’ emails. Although our clients’ personal information was not necessarily targeted, the perpetrators of the phishing scheme may have had access to some of our clients’ information, most of whom are located in Quebec,”said Picard.
He adds that the company's IT department "took immediate action" on all three occasions to regain control of the email accounts and that an investigation was carried out to understand what had happened.
iA says that it has introduced additional security measures to prevent future phishing incidents. The insurer adds that it has informed the regulatory authorities, in particular the Commission d’acces à l’information du Québec (access to information commission of Quebec) and the Autorité des marchés financiers (AMF).
A subscription to Equifax for five years
The company has offered affected customers a subscription to Equifax's credit monitoring service for a period of five years.
Phishing is an attempt to steal identities. The cyber criminal sends an email that invites the recipient to click on a hyperlink and enter personal information, such as a username and password.