The 45,000-member body, which has apologised for the breach, will consider paying out to anyone who has lost money.
The CISI believes that a professional gang in Russia was responsible for the hack attack on its website in February.
The attackers were able to install malicious code which, when triggered by a card payment, sent information back to the intruder’s server in Russia.
The attack affected people making online payments until 16 April when the CISI became aware of the attack and took action.
Data stolen included payment card details, expiry date and CVV number, along with first name, last name, home address, postcode, and the primary telephone number and email address which was entered on the payment screen. No passwords were taken, said the CISI.
The data theft affected just over 5,000 customers and members and the CISI believes fraudulent activity was likely to have been attempted on around 700 cards.
Payments taken by telephone were unaffected, the CISI said. CISI qualifications and exams are on a separate system and also unaffected.
In a message of apology to members, CISI chief executive Simon Culhane Chartered FCSI said: “I appreciate that this is news comes at a troubling time, especially as we are all in the middle of the Covid-19 pandemic and I am very sorry if this has added to your concern.”
The CISI says its measures to help members include:
•Offering to reimburse replacement card costs
•Compensating victims for financial loss, if they have not been able to come to an arrangement with their card issuer
•Arranging an optional complementary year’s subscription to credit agency Experian for those affected (or those written to by the CISI and told that they were potentially affected)
Once the attack was spotted all payments through the CISI website were suspended and the CISI notified the Information Commissioner’s Office and other regulatory bodies. It also reported the crime to Action Fraud and the UK National Cyber Security Centre.
The body has also taken advice from cyber-security experts on stopping further attacks and beefed up security on its website.