Discovery Insure call centre agents duped by impersonator into sending them clients' policy schedules

The fraudsters who got their hands on the policy schedules of some Discovery Insure clients didn’t stage an elaborate cyberhack into the company’s server; they simply impersonated the policyholders and got call centre agents to e-mail those schedules to them.

Among the 19 policyholders a rogue caller was able to impersonate with call centre agents, thus passing the verification process, was billionaire businesswoman Magda Wierzycka. The co-founder and CEO of financial services company Sygnia pulled no punches in her X post late on Wednesday night.

“Discovery told us they have revealed our address, contact details, IDs, every item we have insured, [the] value of everything — everything to make us a target!” she said.

“They don’t know who did it. They didn’t apologise!”

Wierzycka said she was cancelling “everything we have with Discovery”, including her staff members’ medical aid.

“Our staff details might be compromised in the same way,” she said.

Wierzycka questioned Discovery Insure’s verification processes. 

“How weak are they that you are willing to send out an unencrypted file with sensitive financial information? The risks of financial data breaches to such an extent (each item you insured described in detail and valued) exposes you to serious personal security risks. As if I didn’t have to live with that before.”

In an e-mail to affected clients, Discovery said it had picked up that the call centre agents had sent policy documents to “an impersonator” as part of Discovery’s “proactive audit and forensic screenings”.

The impersonator most likely obtained the information required to make Discovery call centre agents believe they were policyholders from historical third-party data breaches including that of credit bureaus TransUnion and Experian, as well as “messaging platforms” and other “data scraping” techniques.

Data scraping refers to gleaning key personal information from victim’s social media posts.

Discovery says it has reported the issue to the Insurance Crime Bureau and the South African Banking Risk Information Centre, and has appointed “forensics specialists” to continue ongoing screening.

Asked what the company had done to prevent fraudsters from successfully duping call centre agents into believing they were genuine policyholders requesting their policy documents, a spokesperson said it had “taken steps to enhance our identity and verification processes to keep our clients safe”. These include introducing new processes for accessing policy schedules and editing their recorded e-mail address.

“Before, once a client had passed the verification process with our call centre, they could update their e-mail address on our system, but this is now no longer possible. An e-mail address cannot be edited via the call centre; it can only be done through the app or online through our logged-in section of our website.”

Policy schedules will also no longer be available through the call centre, only on Discovery’s secure adviser portal, for appointed accredited advisers to retrieve on behalf of their clients, or via the app or website once logged in with two-factor authentication.

“We are enhancing the system to make this change in the short term,” Discovery said.

Call centre agents now ask callers more security questions, requiring more specific information.

“Clients are not told which of the questions they failed and if they do not pass these verification questions, we cannot assist them over the phone.”

• GET IN TOUCH: You can contact Wendy Knowler for advice with your consumer issues via e-mail: consumer@knowler.co.za or on Twitter: @wendyknowler.

TimesLIVE