Insurance firm CNA discloses data breach after March ransomware attack

Insurance giant CNA notifies customers of a data breach after the Phoenix CryptoLocker ransomware attack suffered in March.

US insurance giant CNA is notifying customers of a data breach after the ransomware attack that it suffered in March.

The insurance firm paid a $40 ransom to restore access to its files following the ransomware attack.

According to Bloomberg, CNA Financial opted to pay the ransom two weeks after the security breach because it was not able to restore its operations. Bloomberg was informed about the payment by two people familiar with the attack.

The systems at the company were infected with the Phoenix Locker, a variant of ransomware tracked as Hades that was part of the arsenal of the cybercrime group known as Evil Corp.

“According to the two people familiar with the CNA attack, the company initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals. But within a week, the company decided to start negotiations with the hackers, who were demanding $60 million. Payment was made a week later, according to the people.” reported Bloomberg.

CNA Financial immediately launched an investigation into the incident and reported it to the FBI and the Treasury Department’s Office of Foreign Assets Control.

On May 12, CNA announced that it did not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.

BleepingComputer reported that attackers infected over 15,000 devices in March, the ransomware gang encrypted the computers of remote workers who were logged into the company’s VPN during the incident.

Now new details have emerged from the investigation, evidence confirms the data breach,à

“The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021. During this time period, the threat actor copied a limited amount information before deploying the ransomware. However, CNA was able to quickly recover that information and there was no indication that the data was viewed, retained or shared. Therefore, we have no reason to suspect your information has or will be misused.” reads the data breach notification letter sent to the impacted customers.

At the time of the notification, the company has determined that the threat actors potentially had access to customers’ personal information, including your name and Social Security number.

According to breach information filed with the office of Maine’s Attorney General, the security breach impacted 75,349 people.

CNA is not able to confirm if data was viewed, stolen, or shared online by the ransomware gang.

The company added that it “was able to quickly recover that information and there was no indication that the data was viewed, retained, or shared.”

The insurance firm is offering to the impacted customers a complimentary 24-month membership of Experian’s IdentityWorks to protect them against identity theft.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]