Targeted Ransomware Hits Insurance Data
Bryant G. Tow | May 15, 2017
Ransomware started out as spam email blasts to see who would click on a link or open an attachment containing malware that would encrypt the victims’ Word, PowerPoint, pictures etc. for a standard ransom to get the data back, usually in the neighborhood of $300. Cyber criminals were just looking to spread the net as wide as possible and see what would stick. Not anymore.
In late April, a managed service provider (MSP) in the southeast was targeted. Being the host for over 280 customers—several from the financial service sector including insurance providers—makes for a target-rich environment.
A customer of the MSP called the support team and asked for a port to be opened on a firewall for a backup system. The password for the backup system was set to “backup1.” Within a week, the MSP was compromised with the latest and greatest ransomware. The ransom was set at $50k. The MSP’s insurance company pulled in their law firm to help with the logistical details under privilege. The lawyers then pulled in a digital forensics company. It became clear the mission of both of these organizations was to protect the insurance company, not the insured.
The MSP brought in our team to assist with the investigation and cleanup to protect their interests and work alongside the legal and forensic firms. Our triage of the scene showed the attackers first deleted all of the backups. Next, they wiped out of the co-location data and encrypted over 56 Terabyte of data making it useless without the keys.
Consultations with other forensics and incident response organizations and the FBI led to the conclusion that the only way to recover the data was to pay the ransom.
Technical teams worked 24 hours a day for four days to decrypt and return all of the data to a usable state. There was work to be done to find and remediate all additional vulnerabilities, which would be beyond the scope of the current investigation. As we see in most cases, the attackers now know the MSP will pay the ransom. They will be back and any vulnerability left behind will be used for round two.
Total costs estimated as of this writing exceed $100k and there is still considerable remediation work to be done. There has been no payment as yet from the insurance company while the forensics team and law firm continue to evaluate whether this is a payable claim. In many cases the claims are not paid if there is any negligence that can be proved on the part of the insured.
There are two lessons to be learned from this event:
Lesson 1: Do not blindly trust your managed service or cloud providers—or any technology vendor. Using vendors as a launch point is a popular attack vector for cyber criminals. Many service providers provide impressive slide decks of the security they provide, but it is sometimes just “Security Theater.”
Some will provide a System and Organization Controls SOC II report, which is where an accounting firm audits all of the controls the MSP provides. There is nothing in these reports that show missing security practices. They could be doing everything they provided the accountants, but missing entire areas of security standards and best practices.
The only way be sure your business is properly protected is to manage your own vendor risk program. Each vendor must be ranked and their dependence and business exposure prioritized so the appropriate level of evaluation can be assigned. Evaluations should be done on regular cadence and diligently managed with proper follow-ups on security gaps.
Lesson 2: The vulnerabilities in our systems are most often not technical. Exposers come through absence of processes or lax procedures. This attack and the exorbitant cost to the business could have been prevented with a proper security program.
First, any client request for a change in the firewall rules should be pushed through a change management process that includes proper approval, back-out strategy, and management. Second, the password used was about as weak as possible. Lack of education and awareness of basic security requirements combined with absence of an enforced password policy made this attack easy.
This story is merely one of thousands. Ransomware incidents have risen over 50 percent in the last year according to the Verizon Data Breach Investigation Report. In the survey, financial services was the top industry affected at 24 percent.
The only way to properly protect your organization is to consider all of the attack vectors and have a complete security program including executive leadership. An incident response plan that includes a ransomware attack scenario should be part of the program. The growth rate and the successful attacks we are seeing would seem to indicate is it not a matter of if but when. Make sure your organization is prepared.
- Electronic Chat with Chuck Wilson
- ITA, InsNerds Collaborate to Enhance ITA LIVE 2020 Content and Coverage
- How SMBs Can Compete in Digital Ecosystems in the 2020s
- 4 Ways Insurance Can Prepare for New Data Privacy Laws
- Brewer Lane Ventures Launches and Hires Insurtech Vet Martha Notaras as Managing Partner
- 2020 GIA Cohort Launches on January 14
- The November/December 2019 ITA Pro is here!
- Electronic Chat with Joshua Snead
- Electronic Chat with Wendy Aarons-Corman
- Simplifying the Move to a Third-party Print Provider
- Take a Business-Driven Approach to Continuous Improvement for Core Systems and Processes
- Electronic Chat with Ron Glozman
- Guidewire’s Data Guru Mike Byam on How Insurers are Using Internal and Third-Party Data
- Electronic Chat with Russ Bostick
- Electronic Chat with Rock Schindler
- Electronic Chat with John Siegman
- Electronic Chat with Martin Burlingame
- Insurtech Landscape 2019: Top 5 Takeaways
- Grinnell Mutual Tackles Massive Transformation -- in Stride
- A Candid Conversation with Paul Mang
- SageSure Insurance Managers Improved Competitiveness by Consolidating Payments to a Single Digital Platform
- Digital Does Matter in Insurance-- And Insurers are Missing the Mark
- The 22nd-Century Insurer: Taking a Cloud-First IT Approach
- The September/October 2019 issue of ITA PRO magazine is now available in digital format here:
- ITA Pro Magazine May/June 2019
- Spotlight on the 2019 IASA Conference
- ValueMomentum Selects Erie as Site of Regional Development Center
- Capgemini and Majesco Become Alliance Partners
- Electronic Chat with Dr. Dan Shoham
- Electronic Chat with Todd Greenbaum
- Martha Notaras: The “Outsider” with an Amazing Inside View
- Electronic Chat with Larissa Tosch
- Martha Notaras Will Join ITA LIVE 2019 as a Keynote Speaker
- Five Things to Consider When Evaluating Your Cyber Risk
- ITA Pro Magazine, January/February 2019
- Synergy Between Insurers' IT and Analytics Teams Key to Operationalizing Insights, Says Novarica
- Major Ransomware Attack Could Hit U.S. with $89B In Economic Damages
- ITA Announces 1st of Three Keynote Speakers at ITA LIVE 2019
- Electronic Chat with Jeroen Morrenhof
- Legacy Systems Are Dead. Really? Don't Count On It.
- Now Accepting Nominations for the 2019 ITA Bridge Awards
- It's time to register for ITA LIVE!
- Registration is Now Open for ITA LIVE 2019!
- What to Expect from a Digital Experience Platform Implementation
- ITA Pro Magazine September Edition is Now Available
- It's National IT Professionals Day
- Save the Date for ITA-LIVE 2019
- OneShield Software and UrbanStat Work Together to Improve Real-Time Analytics and Risk Decision-Making
- ITA LIVE 2019 - SAVE THE DATE!
- Insurance Technology Association Announces New Editor-in-Chief
- August 2018 Edition ITA Pro Magazine is Now Available
- Enterprise Architecture in an Agile World
- Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data
- Industry Insight: 4 Global Insurance Trends in Digital, Data, Content Services and Security
- Diving Deeper into Prioritizing Your Strategic Digital investments
- Why Content Rules
- How Mass Personalization Will Open the Small Business Benefits Market
- At Year End 2017, Will Your Organization Be Protected from Cyber Risks?
- Do Insurance Bots Dream of Mitigating Risk?
- Conditioned to Respond
- Managing & Mobilizing Insurance Data in a Connected World
- Race to the Finish Line
- New Tools, New Opportunities in Claims
- ITA LIVE: Reaching Insurance Industry Crossroads
- Advice to Insurance IT Leaders: Keep Your Eye on the Ball
- New Date, Venue for ITA LIVE 2017
- Guidewire Makes Major Push to Small and Midtier Market by Acquiring ISCS
- Insurance Disruption is Happening Right Now
- Insurity Adds Strategic Investment Partner, General Atlantic
- Beyond Transformation: The Convergence of Finance, Risk, and Actuarial Functions
- The Rapid Evolution of Consumer Protection Regulation
- Talent Hunt: Finding, Attracting, Retaining Top People
- Insurers Flexing Their Distribution Models
- Technology Driving Disruption in Insurance
- Fear of ‘Next Bubble’ Challenges Life, Annuity Carriers
- Technology Allows Commercial Lines Insurers to Stand Out
- Single Sign-on Viewed as Biggest Tech Challenge for Agencies
- ISCS Observes 20th Anniversary; Scurto Predicts Major Changes Ahead
- Policyholders and Their First Impressions
- Progressive Making Progress on the UBI Front
- High and Dry: Insurers Search for Disaster Recovery Plans
- Insurers Sign The (Un)Dotted Line
- Reflections of a Retired Insurance CIO
- Mobile Device Management Just One Answer to BYOD Issue
- Lessons from GEICO and Progressive on Winning the Critical Buying Stage
- You Are a Target for a Cyber Attack
- Web-based Systems are the Next Evolution in Claims Technology
- Gaining a “Wow” Experience from Web Users
- Time to Shift from Business/IT Alignment to Business/IT Alliance
- Healthcare Insurers Changing to Consumer Model
- Organization is the Key for Selecting Software Vendors
- Analysts Expound on the Needs of the Mid-tier Insurance Market
- Finding the Cure for Obamacare’s Website
- New Software Solutions Benefit Insurers on the Inside and Outside
- Products, Market Impede Investment in Systems for Life Insurers
- Combatting Cyber Threats: Predict, Prevent, Persist
- The Future of Telematics Heads Beyond Insurance
- The Shame in Cyber Security Lapses
- Building Policy Administration Systems for the Future
- Insurers Look Into The Eyes of Their Policyholders
- It’s a New Dawn for the ITA
INSURANCE IT NEWS
- n2uitive Secures $1.3 Million in Funding to Fuel Growth in InsurTech Market
- Plug and Play Start-Up Accelerator and the Society of Actuaries Working Together to Inspire Innovative and Financially-Sound Technologies in Insurance
- Insurance Agency Mergers & Acquisitions Hit Record Level in 2019, OPTIS Partners’ Report Says
- Boost Insurance Expands Infrastructure-as-a-Service Platform with Suite of Products
- Sapiens Complete Its Acquisition of sum.cumo English
- Cowbell Cyber and Advisen Announce Data Partnership
- INSHUR Partners with Drivers Benefits to Provide Rideshare Drivers With Benefits Access
- Ed Rochfort Brings Successful UBI Track Record to IMS as Chief Product Officer
The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.
ITA LIVE 2020
ITA LIVE 2020 –SAVE THE DATE!
April 5th – 7th, 2020
The Diplomat Resort
Become a member today to receive updates – www.itapro.org/MR
BLOGS AND COLUMNS
You have surely heard it said that small businesses are the growth engine for America. Today, the phrase has a special ring to it for benefits... READ MORE
With stagnant growth and lingering low interest rates, the life insurance industry faces a challenging future... READ MORE
Finding insurance carriers willing to write commercial lines risks has always been a challenge for producers... READ MORE
As Guidewire Software prepares for the start of Connections, its 11th annual user conference that begins on Nov. 2, Brian Desmond, chief marketing... READ MORE
Case study of how a Fortune 500 employee benefits provider serving 35 million insureds throughout the U.S. and Europe transitioned from in-house... READ MORE
- Vendor Views