top of page
Secutity Incident_edited.jpg
Secutity Incident_edited.jpg

 MIP Holdings – Security Compromise Notification 

 Date of publication: 23 June 2026

MIP Holdings is issuing this notice in terms of section 22 of the Protection of Personal Information Act, 4 of 2013. 

We recently identified a cybersecurity incident involving a third-party project management and task management tool (Jira) used within our business operations. It is important to note that MIP Holdings’ own core systems were not compromised - the incident was contained to the third-party Jira tool, which held certain personal information pertaining to our employees, our clients’ users and their members/customers. 

Upon becoming aware of the incident, we launched an investigation with the help of external cybersecurity specialists. The incident is the result of a cyber-extortion attack by a ransomware threat actor known as “The Gentlemen”. 

We have reasonable grounds to believe that certain personal information may have been accessed or acquired by an unauthorised third party and our investigation remains ongoing to understand the extent of the affected data. We have received undertakings from the threat actor that all data which was unlawfully accessed or acquired has been deleted and will not be published or misused. We are making this notification to ensure that affected clients and data subjects are informed and able to take protective measures. 

What happened?

 

On 14 June 2026, we identified suspicious activity affecting Jira, a third-party project management and issue logging tool used within our business operations. Jira is not an MIP Holdings system; it is an external platform developed by Atlassian and used by our clients for task & issue logging and tracking. The Jira system operates in our data centre and does not have any direct integrations into any of our clients’ policy administration systems. 

MIP and our cyber security specialist independently verified that the incident was limited to Jira as well as certain third-party FTP/SFTP sites, which were capable of being accessed using credentials obtained from Jira. The attacker was unable to move laterally into any of MIP’s other 16 servers or infrastructure. 

Jira contains development tasks and communications linked to the tasks and does not contain any client databases. Many tasks in Jira do have personal information associated with them. For example, there may be screenshots in which some personal information is visible; there may be instructions to configure access to services with the credentials recorded in the task; there may be data files attached to be used for configuration, testing or debugging. 

So, while there has been no access to any client policy administration systems or databases, there is unauthorised access to and acquisition of some personal information and in some cases to credentials, for example, credentials used by our clients to access secure file transfer platforms. 

Upon detection of the unauthorised activity, we immediately activated our incident response protocols. Our teams are working closely with affected clients, external cybersecurity specialists and other experts to contain and remediate the incident. 

The affected data is currently being analysed to determine: 

  • The nature and scope of the unauthorised activity; 

  • The categories of personal information involved; 

  • The identity and number of potentially affected individuals; and 

  • Whether any information has been downloaded, copied, misused or disclosed. 

 

Although we are not aware of any misuse or disclosure of information now, the investigation is ongoing and additional information may become available as the review of the affected data progresses. 

What personal information may have been affected? 
 

Based on information currently available, the affected data may include personal information relating to customers, business contacts, service providers, employees or other individuals whose information was held within the affected part of the Jira tool. 

We are making rapid progress in analysing the affected dataset and we are working with each of our affected clients to support and enable effective notifications to affected data subjects. 

The precise categories of personal information involved are being verified and each of our affected clients will be provided with the results of our analysis over the coming days. 

What are the possible consequences? 
 

A security compromise of this type may give rise to risks including: 

  • Unauthorised access to personal information; 

  • Phishing or social engineering attempts; 

  • Fraudulent communications purporting to originate from MIP Holdings or related entities; 

  • Identity theft or impersonation; and 

  • Other misuse of personal information. 

 

What has MIP Holdings done? 
 

We take the protection of personal information seriously and have implemented additional protective measures in response to the incident, including: 

  • Securing and containing the affected Jira system; 

  • Engaging independent cybersecurity and forensic specialists, who are conducting an investigation into the cause and extent of the incident; 

  • Enhancing system security and access controls through a migration to a new, separate Jira system; and 

  • Setting up a secure communication channel for updates to clients. 

 

As of 22 June 2026, MIP Holdings has received undertakings from the threat actor that: 

  • all data which has been unlawfully accessed and/or acquired has been deleted and will not be published; and 

  • affected clients and data subjects will not be contacted by the threat actor. 

 

We have already issued guidance to affected clients not to respond to any communications they may have received from the threat actor and not to click any links, open attachments, attempt to negotiate or engage with the sender in any way. 

On 16 June 2026 we submitted a security notification to the Information Regulator with reference SC20261749, in compliance with section 22 of POPIA, and we will continue to update the Information Regulator. We are in the process of preparing reports to law enforcement authorities. 

Although we do not assess this to be a material incident for purposes of the Joint Standard on Cybersecurity and Cyber Resilience, the Financial Sector Conduct Authority and the Prudential Authority have been informed of the incident on a precautionary basis. 

On 22 June 2026, we met with representatives of the Prudential Authority and the South African Reserve Bank to discuss the incident and the precautionary notification made under the Joint Standard. 

We will continue to keep the relevant regulators updated on the remediation of the incident. 

What should you do? 
 

Personal information contained in the affected data can be used to attempt fraud, phishing attacks or other types of cybercrime. 
 

We encourage you to maintain the following security measures: 
 

  • Safeguard your personal information - Do not disclose personal information such as passwords and PINs when asked to do so by anyone, whether via email, phone, or text message. Verify all requests for personal information and only disclose it when there is a legitimate reason to do so. 
     

  • Be extra vigilant online - Carefully consider emails which contain embedded hyperlinks or unexpected attachments. Avoid clicking on links or downloading attachments from suspicious emails. Be cautious when sharing your ID, address, or bank information - especially in digital formats or with unfamiliar contacts. 
     

  • Strengthen your security - Change your passwords regularly, using lengthy passwords with complexity, and never share these with anyone else. If you use the same password elsewhere, consider changing it to something strong and unique. Enable multi-factor authentication (MFA) for online accounts. Use a secure password manager to create and store strong, unique passwords or passkeys for each account. 
     

  • Protect your devices - Perform regular anti-virus and malware scans on computers and mobile devices, using software that is up to date. Keep operating systems and apps up to date to protect against vulnerabilities. 
     

  • Monitor your credit profile - To mitigate any fraudulent consequences, you can place a fraud alert on your credit report at any of the major credit bureaus. 
     

  • Apply for free Protective Registration - You can register for a free Protective Registration listing with the Southern Africa Fraud Prevention Service (SAFPS) to help protect you against the risks of identity compromise. You can apply via the SAFPS website, www.safps.org.za in three different ways:
     

  1. Apply online: www.safps.org.za

  2. Email: Download an application form from the SAFPS website and send it to protection@safps.org.za with the required supporting documents. 

  3. SAFPS Call-Back: You can submit your details through the SAFPS website and one of their agents will contact you to begin the process. 
     

Further information 
 

MIP Holdings is committed to transparency and will issue further updates as the investigation progresses. 
 

If you have any questions, concerns or require further assistance, please contact: 
 

Fergus McLoskey 

Chief Information Officer - MIP Holdings 

fergusm@mip.co.za 

bottom of page