Just like a sudden downpour, a social media uproar flooded X (formerly known as Twitter) overnight. The cause? The posting of a communication sent to a Discovery Insure client, informing her that her personal information had been shared without her consent.
Sygnia chief executive Magda Wierzycka took to X on Wednesday evening, stating that she received an email from Discovery Insure informing her that some of her personal information has been shared without her prior consent with an unauthorised party.
“They had a data breach. Discovery told us they have revealed our address, contact details, IDs, every item we have insured, value of everything – everything to make us a target! They don’t know who did it. They didn’t apologize)!”
Wierzycka attached the notice received – sent “according to section 22 of the Protection of Personal Information Act (POPIA)” – to her post.
Describing the details of the incident, the notice said that, as part of Discovery’s proactive audit and forensic screenings, it had detected an incident where an impersonator called the Discovery Insure call centre, requesting the client’s policy schedule.
“A detailed investigation revealed that the impersonator most likely obtained personal information from historical third-party data breaches, including credit bureaus (2020), messaging platforms (2024), and other data scraping techniques,” the notice read.
It said the impersonator used this information to bypass Discovery Insure’s verification (IDV) screening “and as such the policy schedule was obtained”.
The personal information shared included the client’s name and surname, cellphone number, email address, residential address, identity number, and details of the items on cover.
According to the notice, none of Discovery’s systems were compromised because of the incident.
In a post in a thread on X, Discovery said: “Please allow us to clarify. This incident affected less than 20 Discovery Insure clients who received individual communication on 17 May and 5 June, outlining the event and offering support, including personal security consultations and physical premises security assessments.”
Discovery said it reported this to the Insurance Crime Bureau (ICB) and the South African Banking Risk Information Centre and appointed forensic specialists to continue ongoing screening.
Just days before the fallout on X, the ICB warned that criminals were targeting insurance companies, through their call centres, impersonating policyholders and requesting copies of their policy schedules and claims histories.
Santam, South Africa’s largest short-term insurer, urges the public to be vigilant when dealing with people who phone them, purporting to be representatives of insurance companies.
Identity theft and insurance fraud are illegal, and perpetrators can be sentenced to jail if found guilty by a court of law.
According to the ICB, perpetrators of this crime contact insurance companies’ call centres and pose as legitimate policyholders. They request sensitive documents such as policy schedules and claims histories under the guise of routine updates, which is not unusual, particularly when consumers are shopping around for better premiums.
In the wrong hands, this information can be used to perpetrate various criminal acts, including identity theft, fraudulent insurance claims, and financial scams. Policy schedules contain personal information, including the name of the insured, their identity number, residential address, and policy details.
Charisse Ras, Santam’s group chief risk officer, said the public needs to be extremely cautious when dealing with persons purporting to be representatives of insurance companies.
“As Santam, we are committed to ensuring the safety of clients’ information. We therefore are continuously monitoring all emerging threats, and we work very closely with the authorities to protect the public and our clients. We also urge the public not to hesitate to contact their insurer if they have any concerns or require assistance,” Ras said.
She said the public can do the following to protect themselves against fraud:
- Be cautious when receiving requests for personal information and perform the necessary security checks to confirm you are speaking to a representative of an insurance company.
- Verify the identity of the requester before sharing any personal information.
- If you suspect that you have been targeted by fraudsters or have inadvertently shared personal information with them, report the incident to your insurer and the appropriate authorities immediately.
Santam has a task team to deal with instances of fraud. Policyholders or members of the public who want to contact Santam about alleged acts of insurance crime can email group.intelligence@santam.co.za or phone the fraud line on 0860 600 767.