By Paul Prudhomme, Head of Threat Intelligence Advisory at IntSights, a Rapid7 company
The insurance industry has long been a staple for cyber attacks. Criminals go where the money is, and the sector represents one of the most direct ways to access key personal and financial data that can be used to net an illicit profit.
More recently, insurers have faced even greater risk exposure due to their provision of cyber insurance coverage, particularly when it comes to ransomware. The sector has also seen increased attention from state-sponsored actors seeking personal data to fuel other campaigns.
Why is the insurance sector such a popular target for cyber crime?
Threat actors regard the insurance industry as a valuable source of personally identifiable information (PII) which can be used for a variety of crimes, including identity theft, other types of fraud, and further cyber attacks.
Alongside insurance documentation itself, firms will also have digital copies of items such as passports, driver’s licenses and bank statements that have been used to verify the policy holder’s identity and address. Birth dates are also particularly valuable to criminals, alongside National Insurance numbers, Social Security numbers, and their various international equivalents.
In one prominent example, U.S. insurer Ryan Specialty Group had its employee email accounts breached in April 2021. Customer names, Social Security numbers, driver’s license and passport details, and financial account details were believed to be exposed as a result.
The depth of information held by insurers on behalf of policyholders is also useful to state-sponsored threat actors, providing a large amount of data for human intelligence (HUMINT) operations or signals intelligence (SIGINT) operations.
Insurers that provide cyber insurance also face an elevated threat level. Attackers may seek to compromise their network to unearth policy details and security standards as a way of creating more effective targeted attacks.
The rising threat of ransomware
In addition to data theft, insurers are also targets for ransomware attacks. Ransomware has swiftly risen to become one of the primary cyber threats for businesses in all industries today as an infection can rapidly cripple the organisation by encrypting key files and systems. Criminals are also increasingly coupling ransom demands with data theft, often threatening to leak sensitive information unless additional payment demands are met.
However, insurers that provide cyber policies may again face increased risk from organised cyber criminal gangs and state-backed actors. In one prominent example, the Asian component of global cyber insurer AXA was struck by the Avaddon ransomware last year very shortly after announcing that it would stop reimbursing new French customers that chose to pay ransom demands.
The group responsible may have been seeking to make an example of AXA, as its previous policy of covering ransom payments would make it more likely for victims to pay up to criminals.
Why most stolen data is destined for the dark web
Stolen data is a commodity item in the shadow economy maintained by cyber criminals. Datasets are readily bought and sold on hidden forums and marketplaces on the dark web, with individuals and groups often specialising in selling data rather than using it themselves.
In one example discovered by IntSights security researchers, a Chinese-speaking criminal going by “Rebecca” was selling access to records from Chinese auto insurance companies for $3 each. These records included PII such as names, addresses, and driver’s license numbers.
Threat actors will commonly purchase PII sets from different sources to help facilitate further data theft and fraud. The insurance sector is a favourite target here as automated quote tools can potentially be exploited into revealing more information about customers. Farmers Insurance Group, for example, revealed that in early 2021, attackers attempted to use previously stolen customer names, dates of birth, and street addresses to trick its automated car insurance tool into providing driver’s license numbers.
Criminal groups now often include the threat of data disclosure as part of ransomware attacks. Defiant organisations that refuse to pay up will be punished by having their data sold on the dark web, or sometimes dumped on publicly available open web platforms. The threat aims to pile additional pressure on the victim by creating a high-profile breach that will damage customer trust and attract the attention of compliance regulators.
How can insurance firms protect themselves and their customers?
All firms operating in the insurance sector should be aware that they represent a high priority target to threat actors ranging from opportunistic criminals to highly organised gangs and even state-sponsored groups. Securing the customer data in their care should be a top priority for all insurance firms.
Insurers need to consider the context of their data and how best to protect it. B2C security measures will be significantly different from B2B equivalents, for example, and different subsectors such as auto and health insurance will also have their own security threats and priorities.
Threat intelligence is the most important asset for attempting to understand and mitigate these risks. Having access to a range of data from open and closed web sources will help insurers to build a picture of threats arrayed against them and prioritise their security strategies accordingly.
This includes insight into general trends, such as new attack tactics, malware variants, and software vulnerabilities, and can also reveal direct threats to the organisation. For example, threat intelligence might uncover discussions in a dark web forum about targeting a specific insurer because of their ransomware pay-out policy, or due to an exploit in their automated customer service system.
Effective threat intelligence can also alert insurers to the fact they have been breached by discovering criminals arranging the sale of stolen data. While the firm will still suffer reputational and financial damage, this warning can give them a chance to get ahead of the crisis.
The cyber threat landscape has become increasingly hostile for the insurance sector in recent years. In order to have the best chance of protecting both themselves and their customers, insurance providers should look to implement threat intelligence to understand the context of their data and mitigate threats accordingly.
