Santalucía has communicated to its clients an unauthorized access to information associated with their policies originating on May 1st. The company maintains that the incident is already contained and that it has not detected recent irregular activity, but among the compromised data are name and surnames, postal address, telephone number, email address, and national identity document number.
The breach places policyholders in an immediate paradox. The entity states that it has contained the incident, although at the same time it warns of the risk of social engineering or phishing campaigns precisely because of the exposure of this contact and identification data.
Santalucía warned that the national identity document number and contact details were exposed
In the message sent by email to its clients, the insurer detailed the scope of the unauthorized consultation. The communication specifies that the access affected information linked to the policies and lists the main compromised personal data.
"The incident has consisted of the unauthorized consultation of information associated with your policies, such as name, surnames, address, telephone number, email address, and national identity document number" - Santalucía, communication sent to clients
In addition to reporting the incident, the company stated that it has not observed recent irregular activity after containing the access. It also reminded users to exercise extreme caution regarding possible impersonation attempts through calls, messages, or emails.
In that notice, the entity emphasizes that it never asks for passwords or security codes by phone, message, or email. The recommendation comes after the exposure affected sufficient data to construct fraudulent communications directed at specific clients.
The company notified the breach to Insurance, Data Protection, and Law Enforcement Agencies
Santalucía has reported the incident to the Directorate-General for Insurance and Pension Funds, the Spanish Data Protection Agency, and the State Security Forces and Corps. In parallel, the insurer assures that it has reinforced authentication and access control measures to its systems.
The internal review has also included existing supervision mechanisms. In the insurance sector, these types of episodes occur in a context of increasing scrutiny over the use of personal data and over the protection of personal data when handling large customer bases.
It is not the only recent precedent. Another case in the same area affected Ocaso Seguros, where 800,000 lines of customer data were exposed, a precedent that broadens the focus on phishing attempts linked to personal information leaks.
The origin of the unauthorized access that Santalucía has communicated to its clients is located on May 1st.