CNA Financial Corporation, a leading US insurance company, notifies customers of a privacy breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March.
CNA is the seventh largest commercial insurance company in the United States according to statistics from the Insurance Information Institute.
The company offers a full range of insurance products, including cyber insurance policies, to individuals and businesses in the US, Canada, Europe and Asia.
Over 75,000 people affected
“The investigation revealed that the threat actor accessed certain CNA systems at different times between March 5, 2021 and March 21, 2021,” said CNA in the notification letters sent to affected customers today.
“During this period, the threat actor copied a limited amount of information before deploying the ransomware.”
The data breach reported by CNA affected 75,349 people, according to information filed with the Maine Attorney General.
After examining the files stolen during the attack, CNA found that they contained customer personal information such as names and social security numbers.
“Now that we have recovered the information, we have completed our review of this information and found that it contains some personally identifiable information, including name, social security number and, in some cases, health care information for specific individuals,” CNA stated in a separate update.
“The majority of reported individuals are current and former employees, contract workers and their dependents.”
The company added that it had found no evidence that the stolen information was “viewed, held or disclosed”.
In addition, CNA claims there is no reason to believe that the stolen information has been or is being misused in any way.
CNA will provide free credit monitoring and fraud protection services through Experian for 24 months. CNA also provides a toll-free line that individuals can call with questions about the incident. – CNA
Systems fully restored after ransomware attack
Sources familiar with the attack said BleepingComputer said the Phoenix CryptoLocker operators encrypted over 15,000 devices after deploying ransomware payloads on the CNA network on March 21.
BleepingComputer also learned that the attackers encrypted the computers of remote workers who were logged into the company’s VPN during the incident.
Based on similarities in the code, it is believed that Phoenix Locker is a new family of ransomware developed by the hacking group Evil Corp to avoid sanctions after victims of the WastedLocker ransomware stopped paying ransom for legal action or fines avoid.
When asked by BleepingComputer about a link between the sanctioned Evil Corp and the Phoenix group, CNA replied that there was no confirmed link.
“The Phoenix Threat Actors group responsible for this attack is not a sanctioned entity and no US government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity,” the company said.
“We have notified the FBI of this incident and are working actively with them in their investigation.”
Two months ago, CNA reported that it has restored the systems affected by the ransomware attack and is operating “in a fully restored state”.
The insurance provider added that it had not found any evidence when investigating the incident in which stolen policyholder data was exposed, exchanged, or offered for sale on the darknet or hacking forums.
Update: Added information provided by the CNA spokesperson to additional data disclosed in the incident.