Insurance companies warned of increase in cyber attacks
A report in Canadian Underwriter warns of an increase in cyber attacks against insurance companies that offer online quote facilities.
Based on advisories from the New York State Department of Financial Services (DFS) in February 2021, the report cautions that the “get a quote in minutes” feature on many P&C insurance company websites is being exploited to harvest information about potential victims. According to the report, the trouble starts when hackers take basic information about an individual (scraped from social media accounts or acquired in a data breach), and input this information into an insurer’s website.
These sites are designed to quickly reach out to their own network of information sources to gather and instantly pre-populate personal information on the online insurance application form. In the example of car insurance quotations, this additional information could include “a vehicle identification number (VIN), how many other licensed drivers are in the home, second addresses, [etc.]” The hackers intervene at this point to steal the third-party data that is being aggregated automatically. Even data that had been redacted for presentation online had been breached, in at least one case.
In their special advisory on the attacks, the DFS described at least eight auto quote websites that had experienced “successful or attempted data theft” since late 2020. The detailed report prepared by the DFS presents a summary of the techniques used by cyber criminals, and a number of strategies for insurers can employ to detect and prevent this kind of fraudulent use of their instant quote facilities.
Insurers offering this online feature – even if the data is redacted – are encouraged to review the guidance in the bulletin to assess their own defenses against this emerging attack trend.
NSA releases OT cybersecurity advisory
In the wake of the Solarwinds incident, the National Security Agency (NSA) in the United States has issued a bulletin and special advisory on ensuring the cybersecurity of “operational technology” (OT) infrastructure.
The NSA’s bulletin is targeted at military defense concerns, but presents basic best practices for any enterprise employing OT assets. The bulletin provides four key recommendations:
+ Encrypting all points of access, and logging all access by vendors or other third-party providers
+ Disconnecting all remote access connections until such encryption and logging is in place
+ Documenting and validating all OT devices and settings on a network infrastructure diagram or map
+ Performing a gap analysis and prioritization of security upgrades where necessary
According to the bulletin, “While there are very real needs for connectivity and automating processes, operational technologies and control systems are inherently at risk when connected to enterprise IT systems. Seriously consider the risk, benefits, and cost before connecting (or continuing to connect) enterprise IT and OT networks. Mindfully prioritize and consider the risks before allowing enterprise IT-to-OT connections. While OT systems rarely require outside connectivity to properly function, they are frequently connected for convenience without proper consideration of the true risk and potential adverse business and mission consequences. Taking action now can help improve cybersecurity and ensure mission readiness.”
Swiss cloud provider suffers ransomware attack
On April 27, Swiss Cloud Computing AG, a Zurich-based cloud provider announced that they had been the victim of a targeted cyber attack.
The company’s initial statement on LinkedIn provided no details on the nature of the attack or the ransom demands involved, but did suggest that there were no indications of data exfiltration as a result of the attack. According to the latest statement on the company’s German language website, they are confident that their customer’s systems will be available “in the coming days,” as they work to restore servers from existing backups. Over 6500 customers are thought to be affected by the outage.
Swiss Cloud staff are reportedly working around the clock to restore services, as “parts of the complex server network affected by the attack must first be cleaned up individually and reconfigured,” according to the statement. Swiss Cloud, one of Switzerland’s largest cloud providers, is being assisted by technical support from Microsoft and Hewlett Packard Enterprise (HPE) in its recovery efforts.
Swiss Cloud should not be confused with Safe Swiss Cloud AG, another European cloud provider. SSC is based in Basel, Switzerland, and is not affiliated with Swiss Cloud.
Swiss Cloud’s next official statement and status update is scheduled for May 3.
Washington D.C. police department cyber breach may put lives at risk
On April 26, Washington D.C.‘s Metropolitan Police Department (MPD) confirmed that it had suffered a significant data breach – one with potentially life-threatening implications.
According to multiple sources, the Russian-based ransomware threat group Babuk reportedly stole up to 250GB of data from the US capital’s police force, including lists of arrests, persons of interest to the department, and sensitive HR data and contact information that could compromise the safety of undercover police officers.
Babuk, the threat actors who famously hacked the Houston Rockets basketball team in March 2021, posted a sample of the stolen data on their dark web portal “Hello World 2”. They have threatened to fully disclose and share the personal information stolen, unless their demands are met.
The Washington Post reported that the sample “documents posted [April 28] ran into the hundreds of pages and included names, Social Security numbers, phone numbers, financial and housing records, job histories and polygraph assessments,” for individuals involved in police investigations, irrespective of whether they had been convicted with an offense. One sample also contained extensive personal and sensitive information about a current police officer.
In an email to staff, acting D.C. police chief Robert J. Contee – in the role on an interim basis since January 2, 2021 – advised that the size and scope of the breach was still under investigation: “We are aware of unauthorized access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.”
Contee confirmed that “the mechanism that allowed the unauthorized access was blocked,” but provided no further details on the root cause. “We are working to identify all impacted personnel, who will be contacted directly with additional guidance. I recognize this is extremely stressful and concerning to our members.”
The breach is apparently Babuk’s crowning achievement – the group’s portal featured a note saying that the attack on the Washington PD was its last goal before shutting down operations. “Only they now determine whether the leak will be or not, in any case regardless of the outcome of events with PD, the babuk project will be closed,” according to the note. (In a subsequent blog entry on “Hello World 2”, Babuk has advised that they now will be providing “open source” ransomware on the dark web, according to a report in Bleeping Computer.)