Cyber attack on insurer highlights need for better security
Last year, the insurance firm AXA was hit by a severe data breach, which resulted in 3TB of data, including identity documents, claims, reimbursements, account details and customer medical records, being exposed as part of a multi-faceted cyber attack.
AXA is just one of the insurance and financial services companies targeted recently by cybercriminals, and there is a pressing need in this sector to tighten security controls. The insurer operates globally and has a net income of AUD5.01 billion. AXA's Asia Pacific components were breached after the company had stopped reimbursing new French customers for ransom attacks.
The company, which operates in Australia through XL Insurance Company SE and AXA Investment Managers, was hit by a group called Avaddon, which also conducts distributed denial of service (DDoS) attacks on top of setting up ransomware to pressurise victims to pay up.
The headline-grabbing attack is significant because it involved a damaging disclosure of customer data as well as possibly punishing AXA for not covering ransomware in reimbursements for its customers.
The attack was among a series of recent strikes that have hit insurance companies in the past year, as they became attractive targets for cyber attackers.
Shortly after the AXA attack, Tokio Marine Insurance Singapore disclosed in August 2021 that it too was hit by a ransomware strike. The subsidiary of the Japanese property and casualty insurer also provides cyber insurance coverage.
For an industry whose business is to manage risks, it may sound ironic that the spectre of a cyber attack is not something they often manage well.
In March 2021, CNA Financial reportedly paid a ransom of US$40 million to ransomware operators who had locked up files on the company's computers. Notably, its financial losses were not fully covered by its own cyber insurance.
In the past year, threat actors looking for a larger attack surface to mount hacking campaigns have also been monitoring the rapid digitalisation of the sector that is accelerated by the COVID-19 pandemic.
Eighty-five per cent of insurance CEOs say the pandemic has accelerated the digitalisation of their operations and the creation of next-generation operating models, according to a study by consulting firm KPMG.
While digitalisation has been a common endeavour across many different sectors, the insurance sector is an attractive target due to several unique factors.
First, they have a credible store of personally identifiable information (PII), which could include basic data such as contact information or social security or taxpayer-identification numbers.
Even more sensitive is protected health information (PII), such as medical records and medical expenses and failed claims, which can be found on insurance companies.
When exposed, these personal records make for highly damaging situations, which add to the attackers' leverage when demanding a ransom.
While the insurance firms' main concern is fraudsters, they also need to be on the lookout for potential state-sponsored threats that target victims of a data breach for human intelligence or other espionage purposes.
Around 2014 and 2015, the American health insurer Anthem was hit by a massive data breach, allegedly carried out by a Chinese cyber espionage group, that affected 78.8 million American customers.
Security researchers have been concerned that this could lead to hackers cross-referencing with another attack on the U.S. government's Office of Personnel Management, which handles security clearances for employees and contractors with access to classified information.
This could enable hackers to find personal vulnerabilities, say, large healthcare debts, which can be used as leverage to persuade the data breach victims to commit espionage against the United States.
Protection measures
Given the severity of such threats, what can insurance companies do to protect themselves? Unfortunately, there is no one-size-fits-all solution. Instead, each insurer has to find a solution that is specific to its needs.
Besides adding more layers of protection, defenders must consider the context of the business to which these layers are applied. For example, measures to enhance business-to-consumer (B2C) security would significantly differ from business-to-business counterparts.
Similarly, an insurer's operations will also determine how it may apply its security layers. For example, a car insurance company runs its operations quite differently from a healthcare insurer.
What is common is the need to have rigorous research and risk management in place long before a threat emerges.
There are no 100 per cent guarantees in cyber security, but having a holistic way to monitor threats across the industry and using data to find these threats will give insurers a better chance at mitigating their risks.
Article by Rapid7 company, IntSights, head of threat intelligence advisory, Paul Prudhomme.