Security

Discovery data breach: what is happening?

Luis Monzon

6th June 2024

A troubling data breach incident has emerged from Discovery Insure.
Sygnia CEO Magda Wierzycka was one of “less than 20” clients who had their private details stolen by an impersonator.
Discovery says that the impersonator managed to bypass its verification and identification screening using information stolen from unrelated data breaches.

On Wednesday, Discovery began sending out emails to affected clients of Discovery Insure, its insurance provider arm, that their personal data had been exposed in a breach.

Businesswoman and Sygnia CEO Magda Wierzycka, who is considered one of the wealthiest woman in the country, posted the email to X, asking for accountability from Discovery. As per the details of the breach: an impersonator managed to get past Discovery Insure’s Identification and Verification (IDV) screening and was given Wierzycka’s policy schedule by staff at the Discovery Insure call centre.

This includes private details like her name and surname, cell number, email address, residential address, ID number and the details of the items being covered on the policy.

Discovery data breach. Where is an apology? Where is a suggestion as to what to do? Anything. I am canceling everything I have ever opened with Discovery. pic.twitter.com/ioCkrxc2bz
— Magda Wierzycka (@Magda_Wierzycka) June 5, 2024

According to Discovery responding to users on X, this incident has affected less than 20 Discovery Insure clients, who had received notifications that this occurred on 17th May and 5th June. It seems that less than 20 clients were targeted by the impersonator or impersonators.

Discovery outlines in the notification to Wierzycka that “a detailed investigation revealed that the impersonator most likely obtained personal information from historical 3rd party data breaches, including credit bureaus (2020), messaging platforms (2024) and other data scraping techniques.”

This means that the impersonator had long been following the affected clients, including Wierzycka, on digital channels as they used these data scraping techniques to gather enough information to successfully bypass Discovery’s IDV and convince the call centre agent that they were Wierzycka and others.

To us, this seems like a sophisticated and premeditated strategy, and Discovery agrees which is why it is offering affected clients “personal security consultations and physical premises security assessments.”

Affected clients are likely people publically known to be wealthy, even though Discovery told BusinessTech that Wierzycka’s incident is an isolated one. The Sygnia CEO says that she is complaining to regulators on Thursday and that she is “cancelling everything we have with Discovery. Including Sygnia’s medical aid. Our staff details might be compromised in the same way.”

This may lead to Discovery losing a major client, but the bigger blow is to its reputation. The fact that a threat actor was able to bypass the company’s verification checks using information gleaned from other breaches and obtained sensitive information from an employee is troubling.

Is Discovery not able to use multi-factor authentication for this process? Or perhaps an OTP? Standard Bank, for example, asks clients to accept authentication directly from the mobile banking app when accessing sensitive information.

If these were in place, the impersonator would have required access to Wierzycka’s personal mobile, and thus failed in their ploy.