The insurance industry is increasingly being targeted by a myriad of cyberattacks. Much like many other sectors, ransomware is a top threat to the industry due in part to the role of cyber insurance coverage of ransomware attacks. Yet it is also falling foul to other types of attack. Because insurance companies possess a great deal of personally identifiable information (PII) on their retail business-to-consumer (B2C) policyholders that bad actors can use for fraud and other malicious purposes, insurance fraud is also a big threat to the industry. In addition, hacktivists have been known to target insurance companies for ideological reasons and the PII of B2C policyholders is also useful to state sponsored threat actors because of the amount of detail that it contains.
Paul Prudhomme, Head of Threat Intelligence Advisory at IntSights, a Rapid7 company says: “The insurance industry has been a key target for ransomware gangs and other threat actors due to the role insurance firms play in cyber insurance coverage and the significant amounts of Personally Identifiable Information (PII) they hold.
“Breaches of insurance companies result in cybercriminals being able to find the policy details and security standards of their cyber insurance customers and use stolen information for fraud or cyber-attacks later down the line.
“We’ve seen threat actors target a variety of insurance companies from the automobile and agricultural industry to the healthcare sector. With different insurance companies being targeted by different threat actors it doesn’t make sense for organisations to have the same cybersecurity solutions in place to combat them. Rather, organisations need individually tailored security policies in place which provide context around which threat actors are targeting them, what they are after and what techniques they may use. By having access to such intelligence, insurance companies can put themselves on the front foot against attackers.”
Using insights from threat Intelligence business IntSights, a Rapid7 company’s recent 2022 Insurance Industry Cyber Threat Landscape Report, we’ve put together five of the biggest cybersecurity threats facing insurers at a global level.
5) Ransomware attacks on insurance companies
Insurers that provide cyber insurance coverage, in particular, are proving to be more attractive targets to ransomware operators. Compromises of their networks would give ransomware operators a way to identify and obtain policy details and security standards for their cyber insurance customers.
Cyber insurance coverage for ransomware attacks, particularly coverage of ransom payments, makes companies more attractive targets to ransomware operators due to the perception that those policyholders are more likely to pay ransoms if their insurers cover it. The details of cyber insurance policies, particularly the maximum ransom amount that a cyber insurance policy will cover, are also very useful to ransomware operators. Ransomware operators can use that information to calculate an optimal ransom amount that is both high enough to maximize profit but low enough for victims to accept.
The report also highlighted that the threat of data disclosure has now become a standard component of ransomware attacks and an additional layer of extortion, beyond the traditional focus on merely encrypting files and holding them for ransom. Threatening to dump compromised files on the dark web for further misuse by other criminals aims to put more pressure on victims to pay ransoms, given the potential for the loss of customer confidence and the potential legal or regulatory implications of exposing customer or employee data.
4) Sale and compromise of B2C policyholder data
Aside from enterprise customers, insurance companies also possess a great deal of sensitive information on their individual retail customers that criminals can use for fraud and other malicious purposes. The most important PII data points are dates of birth and Social Security numbers, or the non-U.S. counterparts thereof (such as taxpayer-identification numbers). These serve as key ingredients in identity theft operations, such as fraudulent credit applications.
In the context of insurance policyholder data in particular, the most valuable data points, aside from the actual policy details themselves, are often identity document numbers and scans, such as for passports and drivers’ licenses. Auto insurance companies are another source of PII and other data points that criminals can use for fraud and other malicious purposes.
Attackers can also use already compromised PII from other sources to try to obtain more PII from insurers’ automated quote tools, particularly for car insurance.
The report found that compromises at healthcare providers are a significant source of exposure for health insurance providers. Health insurance policy details are one of several types of data points that make healthcare providers valuable targets for criminals serving the fraud market. The compromised protected health information (PHI) in the patient records of hospitals, medical practices, and other healthcare providers often contains policy details that criminal buyers can use for insurance fraud, along with the dates of birth and Social Security numbers that identity thieves can use for fraudulent credit applications. Attackers can also use already compromised PII from other sources to try to obtain more PII from insurers’ automated quote tools, particularly for car insurance.
3) COVID-19 related attacks
The COVID-19 pandemic has created many opportunities for attackers to exploit, particularly in their attacks on healthcare organisations, to whom this public health crisis is uniquely relevant. For example, the emergence of COVID-19 vaccination and testing records has created a new data set of patient records for attackers to target. The report found that the more frequent use of these PHI records for non-health purposes, such as employment, travel, and access to public places, has given attackers more opportunities to target them. As with other patient data sets, COVID-19 records may include data points that bad actors can use for fraud, such as health insurance fraud with health insurance details, or identity theft with dates of birth and Social Security numbers. Both public and private health insurance providers can become targets for criminals and fraudsters. The U.S. is a top target for criminals due to its affluence, the large scale of its economy, and the use of English. Accordingly, Medicare and Medicaid coverage details are popular commodities in these underground criminal marketplaces.
2) State-Sponsored Threats
Fraudsters may be the primary consumers of such compromised PII, but state-sponsored threat actors can also use it in support of intelligence operations and for investigative purposes. The report found that foreign intelligence services collect PII and ingest it into searchable databases against which they conduct targeted queries in support of human intelligence (HUMINT) operations or signals intelligence (SIGINT) collection.
The SIGINT components of foreign intelligence services and communities can monitor phone numbers and email addresses from PII data sets for more coverage of select persons of interest. Overseas HUMINT operations, with intelligence officers deployed in foreign countries in search of human sources to develop and recruit, often entail queries for more information on persons of interest that they encounter, or as a source of leads for them to pursue for development or recruitment. Other use cases for compromised PII in foreign intelligence services include the vetting of visa applicants, airline passengers, and other travelers for counterterrorism, counternarcotics, or other national security purposes. Identifiers such as dates of birth, Social Security numbers, and identity document numbers often facilitate these queries by enabling analysts to distinguish multiple individuals with the same or similar names, which can be harder if those names are in a foreign language.
1) Hacktivists targeting insurance companies
Ideologically motivated hacktivists can also disclose target insurance companies in support of their political or economic goals. The report found that Hacktivists often target the financial institutions and government agencies of a given country in the belief that such attacks undermine its political and socio-economic power structure.