CNA Financial Corporation, a leading US-based insurance company, is notifying customers of a data breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March.
CNA is considered the seventh-largest commercial insurance firm in the US based on stats from the Insurance Information Institute.
The company provides an extensive array of insurance products, including cyber insurance policies, to individuals and businesses across the US, Canada, Europe, and Asia.
Over 75,000 individuals affected
“The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021,” CNA said in breach notification letters mailed to affected customers today.
“During this time period, the threat actor copied a limited amount information before deploying the ransomware.”
The data breach reported by CNA affected 75,349 individuals, according to breach information filed with the office of Maine’s Attorney General.
After reviewing the files stolen during the attack, CNA discovered that they contained customers’ personal information such as names and Social Security numbers.
“Having recovered the information, we have now completed our review of that information and have determined it contained some personal information including name, Social Security number and in some instances, information related to health benefits for certain individuals,” CNA explained in a separate incident update.
“The majority of individuals being notified are current and former employees, contract workers and their dependents.”
The company added that it found no evidence that the stolen information was “viewed, retained or shared.”
Additionally, CNA claims there is no reason to suspect that the stolen information was or will be misused in any way.
CNA will be offering 24 months of complimentary credit monitoring and fraud protection services through Experian. CNA is also providing a toll-free hotline for the individuals to call with any questions regarding the Incident. — CNA
Systems fully restored after ransomware attack
Sources familiar with the attack told BleepingComputer that the Phoenix CryptoLocker operators encrypted over 15,000 devices after deploying ransomware payloads on CNA’s network on March 21.
BleepingComputer also learned that the attackers encrypted the computers of remote workers who were logged into the company’s VPN during the incident.
Based on similarities in the code, Phoenix Locker is believed to be a new ransomware family developed by the Evil Corp hacking group to avoid sanctions after WastedLocker ransomware victims would no longer pay ransoms to avoid legal action or fines.
When asked by BleepingComputer about a connection between the sanctioned Evil Corp and the Phoenix group, CNA replied that there was no confirmed nexus.
“The threat actor group, Phoenix, responsible for this attack, is not a sanctioned entity and no U.S. government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity,” the company said.
“We have notified the FBI of this incident and are actively cooperating with them as they conduct their investigation of the incident.”
Two months ago, CNA reported that it has restored the systems impacted in the ransomware attack and is operating “in a fully restored state.”
The insurance provider added that it did not find any evidence while investigating the incident of stolen policyholder info surfacing, being exchanged or being put up for sale on the dark web or hacking forums.
Update: Added info provided by CNA spokesperson on additional data exposed in the incident.
Source: https://www.bleepingcomputer.com/news/security/insurance-giant-cna-reports-data-breach-after-ransomware-attack/