Holding statement regarding Security Incident

Holding statement regarding Security Incident

Words by 5CA
Reading time 10 min

We are aware of media reports naming 5CA as the cause of a data breach involving one of our clients. Contrary to these reports, we can confirm that none of 5CA’s systems were involved, and 5CA has not handled any government-issued IDs for this client. All our platforms and systems remain secure, and client data continues to be protected under strict data protection and security controls.

We are conducting an ongoing forensic investigation into the matter and collaborating closely with our client, as well as external advisors, including cybersecurity experts and ethical hackers. Based on interim findings, we can confirm that the incident occurred outside of our systems and that 5CA was not hacked. There is no evidence of any impact on other 5CA clients, systems, or data. Access controls, encryption, and monitoring systems are fully operational and, as a precautionary measure, are under heightened review.

Our preliminary information suggests the incident may have resulted from human error, the extent of which is still under investigation. We remain in close contact with all relevant parties and will share verified findings once confirmed.

 

5CA General FAQ

1. How does 5CA respond to recent media reports about its involvement in a data breach that has occurred at one of its clients?

We are aware of reports concerning a data breach involving one of our clients. Based on interim findings from our ongoing forensic investigation, we can confirm that the attack was not directed at 5CA and occurred outside of 5CA’s systems. Neither 5CA nor any other 5CA clients were hacked, and all our platforms remain secure under strict data protection and security controls.

Our preliminary information indicates that the breach involves human error of a single 5CA employee working as a customer service representative on behalf of our client. This person’s access to all systems was immediately revoked, and they were suspended without delay. We launched a formal investigation, which so far neither shows evidence of unauthorized access to other systems or data, nor any collaboration with other 5CA personnel.

The actions of the 5CA employee appears to enable access to the client’s third-party customer service ticketing systems.

The extent or scope of the breach can only be confirmed by the client as data exfiltration occurred outside 5CA systems. We do note, however, that 5CA does not handle government-issued IDs.

As a precaution, we have heightened monitoring and implemented additional blocking mechanisms to prevent similar threats. Our security framework remains robust, aligned with all relevant norms, laws and regulations, and supported by zero-trust architecture, multi-factor authentication, and continuous monitoring, among other measures.

We remain in close contact with all relevant parties, including our client and external cybersecurity experts, and will share verified findings as they become available.

 

2. Were 5CA’s and its other clients’ systems and data breached by an unauthorized third party (a threat actor)?

No. Interim findings confirm that the attack was not directed at 5CA and occurred outside of 5CA’s systems. Neither 5CA nor any other 5CA clients were compromised. Access controls, encryption, and monitoring systems are fully operational and, as a precautionary measure, under heightened review.

 

3. How can you be certain that no other 5CA clients or systems were affected, given that the investigation is still ongoing?

Interim findings confirm that the attack was not directed at 5CA and occurred entirely outside 5CA systems. Neither 5CA nor any other 5CA clients were hacked. Our preliminary information suggests the attack has resulted from human error of a single 5CA employee, the extent of which is still under investigation.

Our ongoing investigation, which includes a review of said employee’s activity, so far shows no signs of attempts to access any other systems or data. We have since also confirmed that this person was not working together with other 5CA personnel.

 

4. What specific steps did 5CA take immediately after learning about the attack to contain potential risks, and how quickly were these actions implemented?

We were informed that there was a strong possibility that a person working as a customer service representative on behalf of 5CA’s client was involved in the unauthorized computer access. 5CA took immediate action by reviewing said person’s activities, and access to all systems was immediately revoked to prevent further potential unauthorized actions. We also started a formal investigation, which is currently ongoing and during which the employee is suspended. These actions were implemented without delay to ensure rapid containment and to preserve the integrity of client systems and data. Any further disciplinary measures towards the employee will be decided and taken after the investigation is completed.

 

5. How did the data breach happen and what is the extent/scope?

Our visibility into the attack is very limited because it was not directed at 5CA and it happened outside of our systems. We were informed that there was a strong possibility that a person working as a customer service representative on behalf of 5CA’s client was involved in the unauthorized access, upon which we launched an investigation into them.

During said investigation, which is currently ongoing, we have so far identified that this person obtained information that was used to access the client’s third-party customer service ticketing system. The extent or scope of the breach can only be confirmed by the client.

 

6. How does 5CA ensure that personnel working remotely or using personal devices cannot inadvertently compromise client data?

5CA utilizes a secure virtual desktop environment (VDE) – an isolated environment for each client. This environment acts as a controlled gateway to client tools and systems. The client retains full control over the security of their tools and personally grants access to personnel exclusively through the VDE.

To safeguard client data, the virtual desktop environment is equipped with robust security tools and monitoring solutions. It is fully monitored 24×7 by our Security Operations Center (SOC), and all personnel activities within the environment are logged to ensure accountability and traceability. This layered approach ensures that client data remains protected, even when personnel work remotely or uses personal devices.

We also regularly assess risks related to securing our virtual environment and deploy corrective measures.

 

7. (How) does 5CA support and train its personnel to ensure that threat actors don’t persuade them to leak data because of bribes or blackmail?

5CA has a comprehensive Security Awareness Training program that includes dedicated modules on solicitation, bribery, and social engineering threats with a view to raising awareness and enhancing resilience. This training equips personnel with the knowledge to recognize, be resilient and respond appropriately to attempts by threat actors to manipulate or coerce them. We have internal reporting systems allowing personnel to flag these attempts. We use this information to update our internal watch lists for monitoring in the virtual desktop environment (VDE).

That said, we are very aware that solicitation and bribery are (growing) concerns within our entire industry. We are working with regulators and industry peers to find even better ways to mitigate risks.

 

8. Were one or more employees of 5CA solicited or bribed by threat actors?

Even though our interim findings show involvement of one of our employees in the hack of our client’s systems, we cannot say with certainty at this point whether they have acted in collaboration with threat actors. We hope to determine this through our ongoing investigation into the employee’s actions and will report this as part of our findings if we do.

 

9. What data does 5CA handle on behalf of its clients?

5CA handles client data strictly within the scope of agreed services and access levels. We work with each client to define what data will be made available and how it will be accessed, ranging from full API integrations to limited access via client-provided reports and tools. The data we process typically includes customer inquiries that fall within our support responsibilities, and support performance data used to manage and optimize operations.

Client data is hosted in separate secure and encrypted containers per client and project. Access to client data is strictly controlled on a need to know (RBAC) and least privilege basis.

5CA does not handle government-issued IDs or related data or pictures thereof for any of its clients.

 

10. What assurances can 5CA provide to current and prospective clients that their systems and data are safe (and what independent audits or certifications support these assurances)?

5CA provides comprehensive assurances to clients through its established and continuously evolving security framework:

Information Security Management System (ISMS):

  • 5CA maintains an ISMS aligned with ISO/IEC 27001:2022, including implementation of controls recommended by this standard.
  • The ISMS and its associated controls are subject to regular internal and external reviews, ensuring ongoing compliance and effectiveness.

Security Assurances:

  • Zero Trust Architecture: all systems operate under a zero-trust model, ensuring continuous authentication, authorization, and validation of user access. Our Zero-trust model ensures that no person, device, or network inside or outside our systems is automatically trusted and must always verify its identity for each session.
  • Multi-Factor Authentication (MFA) & Single Sign-On (SSO): Enforced across all personnel to secure access to 5CA-managed tools.
  • Risk Management: We perform regular risk assessments to identify risks and develop mitigation and response plans.
  • Personnel Behaviour Monitoring: Advanced analytics and security tools to flag suspicious activity and enforce real-time controls. This monitoring is also part of our ongoing investigation into potential wrongdoings by one of our employees.
  • Data Processing: All data handling practices are aligned with the General Data Protection Regulation (GDPR), ensuring lawful, fair, and transparent data processing.

 

11. Has 5CA identified any weaknesses or gaps in its own security protocols or monitoring as a result of this incident, and if so, what changes are being made?

No. Following the incident, 5CA conducted an immediate review of its security protocols and monitoring systems. Neither showed any material system issues, nor were any data breached detected. Given the nature of this breach of the client’s systems, as a result of our assessment, we did implement extra measures to mitigate potential vulnerabilities and misconfiguration that take place outside our environment:

  • Additional blocking mechanisms have been deployed to prevent recurrence and to mitigate similar threats.
  • Monitoring capabilities have been expanded for more granular alerting.
  • Analytical rule sets have been refined and extended to improve detection.

These actions are part of a broader commitment to continuous improvement and alignment with best practices in cybersecurity.

 

12. What is 5CA’s policy regarding third-party access to client systems, and how does 5CA monitor and enforce compliance with these policies?

Third-party vendors providing support or services to 5CA do not have access to the virtual desktop environments (VDEs) used for client operations; nor do they have access to client tools. This separation ensures that client environments remain isolated and protected.

 

13. (How) does 5CA comply with relevant privacy and data protection rules and regulations?

5CA complies with relevant privacy and data protection rules and regulations through a comprehensive program that includes:

  • Adherence to GDPR and other laws: 5CA ensures compliance with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and all applicable national laws. It establishes legal bases for data processing, provides transparent information to data subjects, and conducts Data Protection Impact Assessments (DPIAs) for high-risk activities.
  • Internal policies and procedures: The company maintains detailed internal policies which outline data handling, breach response, access control, and staff training (e.g. against solicitation, bribery, and social engineering threats).
  • Security measures: 5CA applies technical and organizational safeguards including encryption, multi-factor authentication, and secure cloud infrastructure. It also monitors risks and maintains an incident response procedure.
  • Global compliance: For international operations, 5CA documents country-specific data protection obligations and confidentiality requirements in internal resources.
  • Incident handling: 5CA has a detailed incident response procedure. In case of data incidents or breaches, 5CA promptly assesses risks, notifies stakeholders and, if required, authorities and data subjects, and implements corrective actions. Please again note that in this case, no data breaches of our systems have occurred.

 

14. How does 5CA verify the security and compliance of the platforms and tools provided by its clients, especially when those platforms are outside 5CA’s direct control?

We will continue to proactively assess client-managed systems, tools and platforms to identify potential vulnerabilities and flag any associated risks to our clients.

 

Updated:

5CA

Image featuring the 2 participants of our first Podcast episode
The Future of Multilingual CX: Inside 5CA’s AI Translation Portal
Discover how 5CA’s AI Translation Portal is reshaping multilingual customer support. In this blog, we explore the story behind its creation, the measurable impact on CX, and how it bridges the gap between AI innovation and human-centered service. Tune in to our first 5CAST podcast episode for the full conversation.
Read more

22 August 2025

How Player Demographics Shape the Gaming Environment
How Player Demographics Shape the Gaming Environment
The Future is Player-Shaped: Embracing diverse player demographics is crucial for the gaming industry’s success. Developers and publishers who adapt to this evolving landscape will benefit from deeper engagement, broader reach, and a more resilient community. Ignoring your audience risks losing them and facing negative backlash on platforms like Reddit.
Read more

21 May 2025

Trust & Safety in Gaming
Trust & Safety in Gaming: Don’t Let Your Game Become the Wild West
Online games in 2025 are more than just games — they’re digital hangouts, creative playgrounds, and self-contained economies. Players don’t just show up to grind levels or complete quests. They come to connect, create, and belong.
Read more

6 May 2025