The insurance industry is a significant target for cybercriminals
Which should concern, but not surprise, anyone working in the sector or the many industries linked to it. target for cybercriminals. Which should concern, but not surprise, anyone working in the sector or the many industries linked to it.
Policyholder data is a treasure trove for threat actors. Stealing this information gives them the chance to make a lot of money very quickly by selling it to other criminals on the dark web or encrypting data to extort a ransomware payment. Yet when attackers steal personally identifiable information (PII), they also gain the means of launching attacks or defrauding companies in totally different sectors. So, how should the insurance industry respond?
The first step lies in understanding what criminals are looking for and studying their techniques. We have seen a number of high-profile incidents in recent years which demonstrate the catastrophic financial and reputational cost of cyberattacks. In March 2021, the insurance giant CNA Financial reportedly paid a ransom of $40 million USD to a gang that infected it with Phoenix Locker, a variant of ransomware linked to the cybercrime network Evil Corp. Ironically, CNA disclosed that its own cyber insurance coverage would not cover all of its financial losses.
The dollar and cent value of this attack might seem clear. But in fact, the true impact of a breach is extremely hard to quantify. If partners and clients lose trust in a company over fears that it cannot protect their data, the damage could be critical. This is why the threat of publishing PII on the dark web is so powerful. If insurers must choose between making a large pay-out or seeing their customers’ data made publicly available, they will often choose to take the financial hit.
Insurers make good targets because the data stolen from them can be used to target other sectors including healthcare and finance. This also works the other way. For instance, it was claimed that a ransomware attack on the global cyber insurer AXA in May 2021 originated at a third-party vendor. This breach resulted in the publication of three terabytes of data including details of claims, identity documents, bank account details and customer medical records. The attackers may have wanted to punish and make an example out of AXA, who had recently announced that it would stop covering French customers who make ransomware payments.
Why Are Cybercriminals Targeting Insurance?
Typically, attackers are driven by financial motivations – although there are exceptions, with hacker activists (hacktivists) and nation-state actors pursuing different agendas. We investigated a South American hacking group called KelvinSecTeam which engages in both criminal and hacktivist activity, demonstrating two sides of the threat facing insurers.
Hacktivists will often target financial institutions in the hope of undermining a nation’s political and socio-economic power structure. KelvinSecTeam struck against a Colombian insurance company as part of its political efforts. Yet it also stole Covid-19 test results from a drive-through testing service in California. It then put 14,000 records up for sales which included names, addresses, dates of birth, social security numbers, and street addresses for tested patients. Understanding the motivations of attackers is crucial to mounting a defence.
To beat cybercriminals, it pays to study their methods and goals. Therefore, threat intelligence should be a key component of any cybersecurity strategy, offering organisations the opportunity to build defences to repel specific threats or respond to changing risks. Threat intelligence technology can show what sort of data criminals are seeking to steal from your organisation, as well as the techniques they will use to obtain it. Up-to-date threat intelligence can also be used to power automated responses to problems like phishing and credential leakage. If a business knows what the latest phishing emails look like or finds out its credentials are on sale, it can automatically block the malicious message or change passwords.
Rigorous research and risk-management mitigation should also be carried out when dealing with third parties, backed up by a holistic understanding of the threats in the insurance sector and partner industries. Policyholder PII should be given additional layers of protection such as encryption and network segmentation, and public-facing web applications—including automated quote tools— should be tested to find bugs and misconfigurations that could expose consumer data.
The financial rewards on offer will continue to tempt criminals in search of an easy payday, whilst geopolitical tensions could lead to increased activity from nation-state hackers. Insurers should not delay. The time for mounting an intelligent, educated defence is now.
About the Author
Paul Prudhomme is Head of Threat Intelligence Advisory at Rapid7. Organizations around the globe rely on Rapid7 technology, services, and research to securely advance. The visibility, analytics, and automation delivered through our Insight cloud simplifies the complex and helps security teams reduce vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate routine tasks.
Featured image: ©Kras99