Fintech pet insurer has become the latest firm to be hit by cyber attack, after an employee was targeted with phishing 

Fintech and pet insurance startup Revolut has been hit by a highly targeted cyber-attack, which resulted in an unauthorised third-party gaining access to details of a small percentage of customers’ details.

Around 0.16% of the firm’s customer details were accessed for a short period of time, which Revolut discovered late on  11 September – no funds were accessed or stolen.

The threat actor used social engineering methods to coax one of Revolut’s employees into a phishing scam, allowing access to its internal systems.

A spokesperson for Revolut said: “We immediately identified and isolated the attack [on 12 September] to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted.

“Our customers’ money is safe – as it has always been. All customers can continue to use their cards and accounts as normal.

”We take incidents such as these incredibly seriously and we would like to sincerely apologise to any customers who have been affected by this incident as the safety of our customers and their data is our top priority at Revolut.”

The startup has been investigating the incident thoroughly and working with the Information Commissioner’s Office, other regulators and all relevant authorities, it added.

Key learnings

Matt Aldridge, principal solutions consultant for BrightCloud at OpenText Security Solutions, told sister publication Insurance Times: “Organisations in every sector increasingly rely on digital technologies to deliver their services.

”Therefore, the key lesson for businesses that hold private information is that they should ensure they have clearly defined security policies and procedures to avoid any information leak. It is crucial that staff are properly trained, which underscores all effective cyber resilience and data protection strategies.

“To minimise the risk of personal data breaches happening in this digital world, all organisations must work hard to ensure that sensitive data remains secure. Once the sensitive information is exposed, it can further lead to future cyber-attacks, or it could be used for extremely targeted social engineering attacks on the customers involved.”

Aldridge added that security awareness training programmes can now inform and educate employees on the latest threats in real time, including information security, social engineering, malware and industry-specific compliance topics.

“Attack simulations can also be used to automatically send users for re-education should any training issues be identified,” Aldridge said.