Further clarification regarding the press release of 10 may

Further clarification regarding the press release of 10 may

KBC Insurance proactively informs 140 corporate customers that they and their employees may have fallen victim to a vulnerability in the system of an external service provider.

On 10 May, KBC Insurance proactively informed 140 corporate customers that they might have fallen victim to a vulnerability in the system of an external service provider. The companies concerned use this system to file claims relating to occupational accidents involving their employees and to store some of their HR records. A thorough investigation was launched immediately, involving the external service provider, external cybersecurity specialists and supported by KBC’s own cybersecurity experts.

KBC Insurance took this incident very seriously indeed and immediately informed all the companies-employers involved. They were asked to use their internal channels to communicate the following message to their employees.

Possible unauthorised access, but as yet no indication that data has actually been copied, extracted and/or used

The in-depth investigation revealed that there was a possibility the vulnerability in the external service provider's system gave a third party unauthorised access to certain data, including data relating to the employees of these 140 corporate customers. This includes sensitive personal information, such as HR data and medical details linked to accidents at work. KBC Insurance deeply regrets this incident, but to date there has been no indication that data has actually been copied, extracted and/or used.

KBC Insurance takes all necessary measures

KBC Insurance acted as soon as it was aware of the incident. At our request, the external service provider immediately disabled the application to prevent any further unauthorised access to the data. An in-depth investigation was also carried out by internal and external cybersecurity experts, which enabled the vulnerability to be eliminated and its impact to be identified. KBC Insurance will continue to communicate openly and transparently on this incident.

In the meantime, we are making sure that occupational accident claims can continue to be processed smoothly and securely. As soon as they can again be filed fully securely digitally, we will inform the companies involved.

KBC Insurance notified the competent authorities, including the Data Protection Authority, immediately after the vulnerability was identified in the external service provider's system and will continue to keep them up to date with the situation.

KBC Insurance advises vigilance

It is important for KBC Insurance to point out that third parties who may have gained unauthorised access to certain data (such as contact details, dates of birth and national registration numbers,…) could misuse this data for the purposes of identity theft or phishing. We wish to stress again, however, that there has been no evidence of this to date.

By publishing this communication on www.kbc.be, we are repeating our advice to remain alert to possible fraudsters who try to deceive consumers online in order to steal personal data or money. General tips and information on preventing phishing can be found on the KBC website

In particular, KBC Insurance recommends:

  • Vigilance if you receive unsolicited requests from an unfamiliar source, such as e-mails from a misleading domain name, social media messages or text messages, asking for personal information or payment
  • Regularly changing your passwords and access codes for accounts you use, such as for apps, various websites or e-mail address, even if you are not a direct user of the app concerned. It is always advisable to change your passwords regularly, regardless of the app.

KBC Insurance is on hand to answer your questions

If you want to know whether your data could have been compromised or if you have any questions, be sure to send them in an e-mail to ACM_dataprotection@kbc.be. Our experts will be more than happy to help you.