The Chartered Institute for Securities & Investment has been reprimanded by the Information Commissioner’s Office (ICO) following a data breach on 17 February 2020.

The reprimand to the CISI was issued in February this year following a third party forensic investigation instructed by the CISI.

The CISI reported the breach to the ICO on 16 April 2020.

The ICO is the UK’s independent body set up to uphold information rights, including GDPR.

On 17 February a hacker exploited a known vulnerability in software used by the CISI to upload a malicious code to its website checkout page.

The code captured payment details and personal data for around 3,883 CISI members and other site visitors. Of these 654 saw fraudulent activities on their payment cards.

A spokesperson for the CISI said: "The reprimand, published in February 2023, relates to an incident in early 2020. CISI immediately informed the ICO as well as affected customers and other regulators. The ICO welcomed the remedial steps taken. All further actions recommended by the ICO were implemented in 2020. The ICO has since closed the case."

The forensic investigation concluded that the CISI was running unsupported software which had a number of vulnerabilities, for which a security update had been available since 2017.

The CISI had also not conducted any penetration tests prior to the incident.

The ICO also reprimanded the CISI for not identifying the data breach earlier, as a number of individuals had reported card fraud prior to a group notification on 14 April 2020 when the professional body began its investigation.

The CISI has now installed additional security measures and updated impacted software.

The professional body also offered financial compensation to those affected as well as access to credit monitoring services.