Around 20% of institute’s customers’ personal data was accessed, although this did not include financial information

The Chartered Insurance Institute (CII) has today (28 October 2022) issued an apology over a cyber breach that saw an unauthorised third party access its IT systems and customer personal data.

CII chief executive Alan Vallance said: “We are sorry that this incident happened.”

The CII was alerted to the incident on 30 September 2022.

An external investigation concluded that around 20% of personal data relating to customer records was accessed – including individuals’ names, names of firms, addresses, email addresses, telephone numbers and dates of birth.

No financial information, however, was accessed.

Those who were impacted by the breach have been contacted by the CII – the organisation said that if customers had not been contacted, their data had not been breached in the incident. 

The data breach was also reported to the Information Commissioner’s Office (ICO).


As the information was already likely to be in the public domain, the CII was advised that there was very low risk to affected members and customers.

The insituted stated: “We have undertaken a detailed review of our security systems and testing protocols in light of this incident and made improvements.

“We are fully committed to do all that we can to maintain the security of the data that we hold for our members and customers.”

The CII’s issue of apology follows Lloyd’s of London detecting “unusual activity” on its network on 5 October 2022, although no evidence of compromise was later found.