Brought to you by:

Breach leads motor assessor to boost cyber security

Motor loss assessing firm AAMC says it is boosting its cyber security after an unauthorised breach affected part of its systems.

“[We] have conducted a subsequent, extensive penetration test with our security testing provider and are currently implementing additional processes and procedures to further improve our security measures and staff education,” MD Steve Chapman said.

Brisbane-based AAMC says the incident did not meet the threshold for reporting to the Office of the Australian Information Commissioner (OAIC).

But it has notified its clients, which include major motor insurers Suncorp and IAG.

The breach in early June was caused by “a known cyber security researcher” that looks for company vulnerabilities and which then offers to help improve data security.

AAMC says the breach affected a database service used by the firm which contains a sub-set of information for searching for files.

“Our full database was secure and we can confirm was not accessed,” Mr Chapman said in a statement to insuranceNEWS.com.au.

An IAG spokesman told insuranceNEWS.com.au that the company “will continue to work with AAMC as it implements additional security measures and procedures to prevent a similar incident in the future”.

Suncorp is also monitoring the situation, with a spokesman saying the insurer is “continuing to seek assurances from AAMC about the issue and its ongoing security arrangements”.

An OAIC spokesman says the office does not generally comment about specific incidents but confirmed that unauthorised access to, loss or disclosure of personal information that is “likely to result in serious harm” is the reporting trigger.

“Where we are made aware of a potential privacy incident or notifiable data breach, the OAIC may engage with the organisation involved to establish the facts of the matter,” the spokesman told insuranceNEWS.com.au.

AAMC says it took immediate steps to close the vulnerability and engaged a cyber forensic investigator. The systems area accessed contains minimal personally identifiable information.

“We received written confirmation from [the security researchers] that they had not and do not share any data with third parties, nor had they disclosed the discovery to anyone other than AAMC,” Mr Chapman said.

“They confirmed that any data they extract for the purpose of verifying vulnerabilities is deleted.”