The reason the insurance industry is ranked so highly in the eyes of threat actors is due to the amount of Personally Identifiable Information (PII) they hold. PII data points such as dates of birth and U.S. Social Security numbers hold the greatest value to cyber criminals, with these serving as the key ingredient when committing identity theft operations, such as fraudulent credit applications, says Paul Prudhomme, head of threat intelligence advisory at Rapid7.
For example, in January 2021, IntSights security researchers found a Chinese-speaking criminal who was selling access to records from Chinese auto insurance companies for $3 (€2.83) each. These records included names, phone numbers and drivers’ licence numbers.
As I’ve mentioned, PII is not only useful to common cyber criminals but to nation-state actors as well. Additionally, foreign intelligence services use PII when conducting human intelligence (HUMINT) operations or signals intelligence (SIGINT) operations.
Furthermore, hacktivists (or hacker activists) target insurance companies for ideological reasons in the hope of undermining insurance organisations’ political and socio-economic power. For example, the Iranian attackers, Black Shadow, exposed the PII of customers (many of whom are government employees) of Israeli insurance company Shirbit in late 2020. The reasons for Black Shadow attacking could have been to collect information for the Iranian government, or for a combination of financial and nationalistic purposes.
Insurance companies which do suffer from a cyberattack not only have the issue of trying to retrieve stolen data, but also potential legal implications. For example, individuals affected by the cyberattack on AJG filed a lawsuit against the company for allegedly failing to protect their PII and not alerting them to the compromise quickly enough.
The threat of ransomware attacks
The insurance industry is a popular target for ransomware attacks, in particular. Gangs are always looking for targets that are likely to pay their fees, and they can figure this out by learning about insurance companies’ policies.
CNA Financial, which provides cyber insurance, reportedly paid a ransom fee of $40 million (€37.77 million) to the Phoenix CryptoLocker ransomware group after it gained initial access to an employee’s workstation through a malicious browser update.
Threat actors have even gone as far as targeting insurance companies that attempt to withdraw their cyberattack protection policies. For example, the Asian region of global insurer AXA was targeted by a ransomware attack in May 2021, after French officials announced their policies would not cover ransomware anymore. The threat actors may have aimed to punish and make an example out of AXA for changing its ransomware coverage.
Cyberattacks on the insurance industry can fuel other crimes and vice-versa
Criminals can use already compromised PII from other sources to obtain further PII from insurers’ automated quote tools. Attackers tried to steal drivers’ licence numbers from insurance group, Farmers Insurance, using already stolen victims’ names, street addresses and dates of birth. Security bugs or misconfigurations in customer web applications, such as the one for Farmers Insurance, makes the insurance industry a door just waiting to be opened when it comes to stealing personal data.
It is not only cyberattacks on the insurance industry that help fuel other crimes, but cyber incidents on other sectors have then been used to target the insurance industry. Compromises in the healthcare sector have proven to be a great source of health insurance data for threat actors. Protected Health Information (PHI) in the patient records of hospitals and other healthcare providers usually contain insurance policy details. These stolen details can then be used to commit insurance fraud as well as other forms of identity theft.
Protecting against cyberattacks
PII can be left dormant for years inside an insurance organisation, which makes it the perfect target for threat actors. For organisations to ensure they have the best possible protection against cyberattacks, simply adding extra layers of protection will not cut it. It is understanding why those layers are being added and how they enhance an organisation’s overall security posture that matters.
No two businesses are the same and therefore security cannot be the same across the board. Organisations must ensure that their business-to-customer security measures and their business-to-business measures are tailored to provide the maximum amount of protection.
Technologies such as threat intelligence are an important asset for organisations when trying to understand who is likely to attack them and what part of the network they may target. Threat Intelligence can monitor both patterns and tactics used by cybercriminals, which helps security teams understand how to combat certain threats.
Additionally, by proactively monitoring the clear, deep, and dark web, threat intelligence technology helps security teams identify when their organisation’s data is stolen and offered for sale, as well as what data has been leaked. This allows organisations to assess the risk, the source of the leak, and decide on mitigation steps.
Thanks to threat intelligence, security teams now know the tactics, techniques, and procedures (TTPs) of threat actors most likely to target them. With this knowledge, security teams can implement the most effective security solutions at the correct endpoints.
Organisations that integrate threat intelligence into their security operations workflows will suddenly find themselves ahead of the game when it comes to defending cyberattacks, ultimately knowing what a cyber criminal is going to do before they have even done it.
The author is Paul Prudhomme, head of threat intelligence advisory at Rapid7.
Follow us and Comment on Twitter @TheEE_io