CNA Discloses Breach Related to March Ransomware AttackInsurer: Incident Mainly Affected Current and Former Employees, Contract Workers
The insurance company CNA Financial Corp. has acknowledged that the cyber incident the company sustained in March was a ransomware attack and that it has notified 75,000 individuals that their data may have been compromised, according to documents filed with Maine's attorney general and breach notifications that went out to those affected on Friday.
Personal information that may have been compromised during the incident includes names, Social Security numbers, and in some instances, health benefits information, CNA writes in a formal notice on the incident. The majority of individuals being notified are current and former employees, contract workers and their dependents, the notice states.
CNA, ranked by the Insurance Information Institute as the seventh-largest commercial insurance firm in the U.S., was the target of a Phoenix CryptoLocker ransomware attack on March 21, which encrypted 15,000 devices.
According to the notification, attackers gained entry to CNA systems on March 5 and maintained persistence through March 21. At the time of the attack, CNA only referred to the incident as a "cybersecurity attack." (See: Insurer CNA Disconnects Systems After 'Cybersecurity Attack')
In May, Bloomberg reported that CNA paid a $40 million ransom in the wake of the attack - beginning negotiations with the hackers about a week after the incident began.
In the notification letter, CNA Chief Compliance Officer Garrett Williams writes that some information was exfiltrated by the attacker, but the company was able to recover the data.
"There was no indication that the data was viewed, retained or shared. Therefore, we have no reason to suspect your information has or will be misused," he notes.
The company, which offers cyber insurance as well as property and casualty policies for businesses and individuals, is offering those affected 24 months of free credit monitoring and fraud protection services through Experian.
The firm reported the incident to law enforcement authorities and continues to work with the FBI, Williams writes. CNA has also "implemented numerous additional measures designed to enhance the security of its network, systems and data," he adds.
"CNA followed all laws, regulations and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter," a company spokesperson tells Information Security Media Group.
The Chicago-based firm has 5,800 employees and generated $10.8 billion in revenue in 2020, according to Google Finance.
About Phoenix CryptoLocker
The new malware variant Phoenix CryptoLocker, believed to be linked to Russian threat group Evil Corp, apparently was used in the March ransomware attack on CNA, according to digital risk management firm CloudSEK.
The ransomware code resembles that used by Evil Corp in its previous efforts, CloudSEK says. Phoenix CryptoLocker targets files with multiple extensions, leaving behind a ransom note along with the threat actor’s tag, “phoenix helpdesk."
CloudSEK notes that Phoenix CryptoLocker uses remote desktop protocol or compromised credentials to gain access to servers - "masquerading as a legitimate software signed with a digital certificate issued by 'Saturday City Limited,'" the security firm notes.
Phoenix CryptoLocker then executes its ransomware, enumerates system folders and directories, encrypts files and appends them with a ".phoenix" extension, followed by a ransom note.
In its statement provided to ISMG, CNA says: "The threat actor group, Phoenix, responsible for this attack is not a sanctioned entity and no U.S. government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity. CNA has been conducting dark web scans and searches for CNA-related information, and again, we do not have any evidence that data related to this attack is being shared or misused."