The professional body with 45,000 members says some members have reported “fraudulent activity” on their cards following a payment transaction on the CISI website.
The CISI website was shut down this morning for maintenance.
The organisation, which provides the Certified Financial Planner and Chartered Wealth manager designations, has launched a probe with help from its insurers and KPMG.
The CISI has contacted 5,785 customers that processed a payment transaction through its website between 1 February 2020 and 15 April 2020.
It said not all of these have seen “fraudulent activity” but it anticipates about 1,000 have been exposed to a risk of fraud.
Investigations carried out since last Thursday revealed that a “third party” gained unauthorised access to the website through a rogue application and inserted malicious code which then captured information from customers at the end of the online checkout process.
The CISI said it was yet to identify the date the modifications to its website were deployed but believes it was likely to be in mid-February.
The body has suggested members take the following urgent steps:
• If you are able to - freeze the card you used on our site
• Check your online or paper statements for that card for any fraudulent activity
• Contact your bank / lender directly to inform them that your card may have been compromised and take their advice on any further actions.
The CISI said that if any member identified fraudulent activity they should contact their country's national fraud and internet crime reporting agencies.
In the UK this is Action Fraud, who can be reached on 0300 123 2040 or via www.actionfraud.police.uk
In a statement today the global body said: “We understand how distressing this news can be, and we apologise profusely to all our customers who are affected.
“We are doing everything we can to investigate how this happened and we are actively working on solutions to ensure all future online transactions are safe. No other CISI member data has been compromised, but if members wanted to reset their MyCISI passwords – they can do this in their online portal.”
The CISI has made no comment yet on compensation for any victims of fraud from the attack.