Premium target -- why insurance companies are so attractive to hackers [Q&A]

The Scattered Spider group seems to have switched from high-profile attacks on UK retailers to new campaigns targeting the insurance sector. The group has recently been linked to ransomware incidents affecting US-based Philadelphia Insurance and Erie Insurance, which operates in both the UK and the US.

We spoke to Danny Howett, technical director at global cybersecurity consultancy CyXcel, to discuss why insurance is such an attractive target and some practical steps insurers can take to shore up their defences against increasingly organised cybercriminals.

BN: What specific types of data held by insurance companies make them such a prime target for cybercriminals?

DH: Insurance companies are particularly attractive targets for cybercriminals because of the depth and breadth of sensitive information they hold. These organizations typically manage vast amounts of personally identifiable information (PII), including but not limited to names, addresses, email contacts, phone numbers, dates of birth, social security numbers and government-issued identification. More critically, they often collect and store highly sensitive medical records, financial details such as income and banking information, and even lifestyle data -- especially in the case of life or health insurance providers.

Personal data is widely commoditized on the dark web and across wider digital communications platforms or used in identity theft. What differentiates insurers from many other sectors is the volume of data they hold and the long-term retention of that data, which can amplify the damage in the event of a breach.

Commercial insurers are also a prime target, holding confidential information on organizations which may include sensitive contracts, claims data, corporate risk profiles, as well as their cyber insurance coverage information.

Cybercriminals who gain access to this information may sell it on to other threat actors or use it themselves to tailor more targeted attacks, such as extortion or ransomware, exploiting known coverage limits or exclusions.

BN: The insurance industry is undergoing significant digital transformation. How has this increased reliance on technology and digital platforms expanded the attack surface for cybercriminals?

DH: The ongoing digital transformation in the insurance industry has undeniably increased operational efficiency and customer experience, but it has also widened the threat landscape. However, the insurance market has long relied on an interconnected system of brokers, agents and third-party vendors, creating a wide potential attack surface.

One of the most significant risks is the continued use of legacy IT systems -- many of which were never designed with cybersecurity in mind. These legacy systems are often connected to modern applications or portals which create potential gaps that attackers could exploit. As with many industries, insurers are migrating services to cloud infrastructure, a move which can often lead to inadvertent misconfiguration or accidental data exposure.

Additionally, as insurers shift toward real-time processing, automated underwriting, and API-driven platforms, they expand their digital footprint. This creates more endpoints and more opportunities for threat actors to probe for weaknesses, particularly in areas such as identity management, API security and data storage.

BN: What are some of the most common attack methods hackers are currently using to target insurance companies?

DH: The threat vectors used to target insurers align closely to other sectors, however there is the added pressure due to the value of their data. Phishing remains one of the most prolific methods with phishing emails leading to either credentials being harvested or the delivery of malicious files, commonly stealer malware which is effective at capturing not only valid credentials but also valid session cookies or authentication tokens which can bypass multi-factor authentication controls. We are also seeing zero-day vulnerabilities being targeted by financially motivated threat actors quicker than ever before, and organizations need to ensure patching schedules keep up, particularly on critical issues. Other common methods include targeting the weakest link, gaining access through supply chain vendors who may lack the security or resources of larger organizations.

BN: How can layered security measures help defend against these attacks?

DH: Effective, layered security measures assist in ensuring that even if an attacker can bypass one security control, they are identified and stopped by another before being able to carry out their objectives. Organizations should not expect a single product or process to fully protect a network and should assess and prioritize where to implement defenses based on their risk profile and available resources.

Commonly, this might start with the perimeter, using Intrusion Detection Systems (IDS) to monitor for suspicious events, and firewalls to filter traffic and prevent opportunistic attacks and automated threats. Once inside, critical layers are likely to be endpoint devices such as end user laptops, continuously monitoring them for threats (EDR/NGAV). Identity and Access Management (IAM) should also be high among an organization’s considerations, using MFA or SSO while ensuring permissions and privileges are based on the users’ job functions and responsibilities, and applying appropriate Role Based Access Controls.

BN: Why is staff training so important in combating cyber threats?

DH: Employees are the first line of defense, but often the first point of failure. An effective training program for staff will help them to better understand the range of threats that may impact them, from phishing and social engineering to safe password practices and understanding the risks associated with downloading data or software from unknown or untrustworthy sources. Organizations should ensure staff are not fearful of reporting an incident, and that reporting mechanisms are clear, and simple for them to use. Fostering a security focused culture equips employees to become vigilant and capable defenders from cyber threats.

Image credit: Cammeraydave/Dreamstime.com