Results of the investigation into the consequences of the attack on the Hanfa computer system
As previously reported, on 23 January 2024, the Croatian Financial Services Supervisory Agency (Hanfa) suffered a cyber attack on its computer system. According to the available facts and results of the independent forensic investigation, its aim was to disrupt Hanfa’s regular work and operations. A sophisticated technique was used to penetrate Hanfa’s network system in order to encrypt data through a malicious code and to prevent access to its information infrastructure.
According to the results of the forensic investigation, there is no evidence that data from Hanfa’s system were used in an unauthorised manner or stolen. Right after the attack, the attacker was no longer present in the system, and computers of the Hanfa staff were not compromised either.
We would like to inform our data subjects (natural persons who are our supervised entities’ clients, contract employees, job applicants, our former employees, inquirers, document signatories, natural persons in registers under our jurisdiction) and supervised entities that there is no evidence that this incident has resulted in their data being exported from the Hanfa system and used in an unlawful manner or that the data have been processed in any manner other than locked. The locked data are not available to the attacker or any third person any more.
Given the importance of data protection and full recovery of the IT infrastructure, additional security and technical measures have been taken to mitigate future risks of a new incident. After a comprehensive analysis, an additional plan was developed to raise the level of information security, all user accounts were reviewed and new security levels of authentication for individual systems were introduced. A plan has been launched to recover the existing and build new application systems that will comply with the highest safety standards. Such systems will be phased in over the upcoming period as they will be fully safety and technically tested before use. Websites used by registered users of Hanfa reporting systems (Reports) and other service systems (SRPI and ROL) are a priority in the recovery of our external services. Citizens and supervised entities can now already check financial service providers in registers available on the Hanfa website and use other content they find relevant.
Following the recovery of the information system, Hanfa will also revise measures for the regular testing of the information system security, including an independent external audit and the testing of digital operational resilience.
For any inquiry regarding personal data processing, feel free to contact us via email privatnost@hanfa.hr. This concerns data such as name, surname, address, personal identification number (OIB), date of birth, data contained in an insurance policy or another financial service contract, and other data on natural persons who are our supervised entities. We would like to thank everyone for their patience and understanding.