AXA’s APAC ransomware attack is a warning to all insurers
Taking place on 15 May, the insurer’s operations in Hong Kong, Malaysia, the Philippines, and Thailand were affected. Meanwhile, its global websites were struck by a Distributed Denial of Service (DDoS) that made them inaccessible.
Initial reports of the attack emerged roughly 24 hours later on Sunday 16 May. A full report of the specifics have yet to be presented by AXA, but 3TB of sensitive data is said to have been seized by perpetrators using the ransomware Avaddon - details seemingly confirmed by a dark web post seen by the Financial Times.
The stolen data supposedly included personal identification information, medical records, and claims history, among other things.
Cyber attacks: A persistent threat
Ironically, earlier in May, AXA had stated that it was purposefully halting the underwriting of cyber insurance policies that reimburse victims of online extortion. The logic, at least on the part of some officials, was that such actions actually incentivise cyber crime.
“The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay,” said Paris’ cybercrime prosecutor Johanna Brousse at the time.
AXA’s misfortune also came shortly after hackers launched a cyber attack against Colonial Pipeline Company. The event caused local petrol shortages and the company was forced to pay the US$5m ransom, which it did using Bitcoin.
Clearly, the threat of large cyber attacks is not restricted to the insurance industry. However, the implications of AXA deciding against cyber insurance underwriting could have broader implications, particularly as global spending in the sector was previously estimated to reach $174.7bn by 2024.
Prevention is better than a cure
Lior Div, CEO and Co-founder of Cybereason, weighed in on what the insurance industry should take from this event:
"Unfortunately, AXA is in the long line of companies suffering from a ransomware attack. While it will take some time to learn the specifics of this newest attack, it is important to remind everyone that ransomware attacks can be disrupted and stopped before they have a material impact on an organisation by using endpoint detection and remediation software.
“Cybereason strongly recommends against paying ransom demands as our recent research shows that more than half the companies that pay a ransom are hit a second time.”
The adage that ‘an ounce of prevention is worth a pound of cure’ appears to ring true. Insurers must instill cybersecurity at every level of corporate operations and culture. Failing to invest the time and money could ultimately be the most expensive mistake of all.