After a Ransomware Attack, CNA Reports a Data Breach

 

Following a Phoenix CryptoLocker ransomware attack in March, CNA Financial Corporation, a leading US-based insurance firm, is notifying clients of a data breach. According to the Insurance Information Institute, CNA is the seventh-largest commercial insurance company in the United States. Individuals and corporations in the United States, Canada, Europe, and Asia can purchase a wide range of insurance products from the company, including cyber insurance coverage. 

"The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021," CNA said in breach notification letters mailed to affected customers on 9th July. "During this time period, the threat actor copied a limited amount information before deploying the ransomware." According to breach information filed with Maine's Attorney General's office, the data breach reported by CNA affected 75,349 people. 

CNA realized that the data stolen during the assault contained personal information such as names and Social Security numbers after evaluating them. "Having recovered the information, we have now completed our review of that information and have determined it contained some personal information including name, Social Security number and in some instances, information related to health benefits for certain individuals," CNA explained in a separate incident update.

"The majority of individuals being notified are current and former employees, contract workers, and their dependents." The corporation went on to say that there was no evidence that the stolen data was "viewed, retained, or shared." Furthermore, CNA states that there is no reason to believe that the stolen data has been or will be exploited in any way. CNA also said, "CNA will be offering 24 months of complimentary credit monitoring and fraud protection services through Experian. CNA is also providing a toll-free hotline for the individuals to call with any questions regarding the incident." 

According to sources acquainted with the incident, the Phoenix CryptoLocker operators encrypted approximately 15,000 devices on CNA's network after spreading ransomware payloads on March 21. The attackers encrypted the machines of remote workers who were logged into the company's VPN during the incident, according to BleepingComputer. 

Phoenix Locker is thought to be a new ransomware family designed by the Evil Corp hacking gang to dodge sanctions after victims of the WastedLocker ransomware refused to pay ransoms to avoid legal action or fines. "The threat actor group, Phoenix, responsible for this attack, is not a sanctioned entity and no U.S. government agency has confirmed a relationship between the group that attacked CNA and any sanctioned entity," the company said.