An unauthorised third party exploited a known vulnerability in the Sitefinity software to leverage a bruteforce attack to upload a malicious code to the Chartered Institute for Securities & Investment (CISI)’s website checkout page. The code captured payment details of an estimated 3,883 UK Data Subjects, as well as other personal data including names and email addresses.
CISI instructed a third party to conduct a forensic investigation which found that CISI were running unsupported software which had a number of vulnerabilities, one of which was a critical vulnerability for which a security patch had been available since 2017. CISI also advised that no penetration tests had been conducted prior to the incident, and that 654 Data Subjects had reported
fraudulent activities on the payment cards affected by the incident.
CISI may have missed opportunities to identify the data breach earlier, as a number of individuals had reported card fraud prior to a group notification 14 April 2020, at which point CISI conducted a full investigation.