Cyber Incident Victim: Curo Fund Services
Date:
Jan 2022
Location:
South Africa
Summary
A cyberattack targeted an investment administrator jointly founded by major financial firms, disrupting its systems and temporarily affecting associated investment businesses' operations. The administrator, managing trillions in assets, experienced a system lockdown that hindered processing investment instructions and delayed price updates for certain portfolios, leading to brief trading suspensions. Remedial actions were implemented to minimize client impact, with no retail or customer data compromised as sensitive information resided solely with the investment firms. A comprehensive forensic investigation is underway to determine the breach's scope and origin, while the incident remained isolated to the administrator's infrastructure without compromising partner firewalls.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 5 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 19, 2022, Curo Fund Services, a Cape Town-based investment administrator jointly founded by Sanlam and Old Mutual in 2012, experienced a cyberattack that disrupted its operations. The attack locked Curo out of its systems until January 24, preventing the processing of investment-related instructions for its clients, which included major financial institutions Old Mutual, Sanlam, and Futuregrowth. Curo, responsible for managing and administering R2 trillion in assets, could not provide critical services during this outage. Old Mutual reported the attack specifically impaired Curo’s ability to supply updated prices for some Old Mutual Unit Trust portfolios, necessitating delayed price adjustments for affected customer transactions. As a precaution, Old Mutual’s investment divisions, including Futuregrowth, suspended trading in listed markets until systems were restored on January 24. Sanlam implemented unspecified remedial actions to maintain client trading continuity while Curo’s systems were offline, minimizing operational interruptions for its customers.
The incident prompted immediate collaboration between Curo and its clients to assess the breach’s scope. Sanlam confirmed its retail client data was not stored on Curo’s compromised systems, emphasizing that detailed client information resided exclusively within Sanlam’s own infrastructure. Similarly, Old Mutual clarified it did not share personal client data with Curo, isolating the breach to Curo’s systems without compromising Old Mutual’s firewalls. Futuregrowth reiterated that its client data remained secure internally and was unaffected by the attack. Curo initiated a comprehensive forensic investigation to determine the intrusion’s origin, method, and full impact, though the source remained unidentified at the time of reporting. No evidence of customer data compromise was found across any affected entities. Operational disruptions were resolved by January 24, with trading resuming and delayed price updates progressing for impacted Old Mutual transactions.