[BreachExchange] After a Ransomware Attack, CNA Reports a Data Breach

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Mon Jul 12 12:34:51 EDT 2021


https://www.ehackingnews.com/2021/07/after-ransomware-attack-cna-reports.html

Following a Phoenix CryptoLocker ransomware attack in March, CNA Financial
Corporation, a leading US-based insurance firm, is notifying clients of a
data breach. According to the Insurance Information Institute, CNA is the
seventh-largest commercial insurance company in the United States.
Individuals and corporations in the United States, Canada, Europe, and Asia
can purchase a wide range of insurance products from the company, including
cyber insurance coverage.

"The investigation revealed that the threat actor accessed certain CNA
systems at various times from March 5, 2021 to March 21, 2021," CNA said in
breach notification letters mailed to affected customers on 9th July.
"During this time period, the threat actor copied a limited amount of
information before deploying the ransomware." According to breach
information filed with Maine's Attorney General's office, the data breach
reported by CNA affected 75,349 people.

CNA realized that the data stolen during the assault contained personal
information such as names and Social Security numbers after evaluating
them. "Having recovered the information, we have now completed our review
of that information and have determined it contained some personal
information including name, Social Security number and in some instances,
information related to health benefits for certain individuals," CNA
explained in a separate incident update.

"The majority of individuals being notified are current and former
employees, contract workers, and their dependents." The corporation went on
to say that there was no evidence that the stolen data was "viewed,
retained, or shared." Furthermore, CNA states that there is no reason to
believe that the stolen data has been or will be exploited in any way. CNA
also said, "CNA will be offering 24 months of complimentary credit
monitoring and fraud protection services through Experian. CNA is also
providing a toll-free hotline for the individuals to call with any
questions regarding the incident."

According to sources acquainted with the incident, the Phoenix CryptoLocker
operators encrypted approximately 15,000 devices on CNA's network after
spreading ransomware payloads on March 21. The attackers encrypted the
machines of remote workers who were logged into the company's VPN during
the incident, according to BleepingComputer.

Phoenix Locker is thought to be a new ransomware family designed by the
Evil Corp hacking gang to dodge sanctions after victims of the WastedLocker
ransomware refused to pay ransoms to avoid legal action or fines. "The
threat actor group, Phoenix, responsible for this attack, is not a
sanctioned entity and no U.S. government agency has confirmed a
relationship between the group that attacked CNA and any sanctioned
entity," the company said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210712/a7d75539/attachment.html>


More information about the BreachExchange mailing list