US Insurance Giant AJG Reports Data Breach After Ransomware Attack

Arthur J. Gallagher (AJG), a US-based global insurance brokerage and risk management firm, is mailing breach notification letters to potentially impacted individuals following a ransomware attack that hit its systems in late September.

“Working with the cybersecurity and forensic specialists to determine what may have happened and what information may have been affected, we determined that an unknown party accessed or acquired data contained within certain segments of our network between June 3, 2020 and September 26, 2020,” AJG said.

As one of the largest insurance brokers in the world, AJG has over 33,300 employees and its operations span 49 countries.

The company is also ranked 429 on the Fortune 500 list, and it reportedly provides insurance services to customers from more than 150 countries.

Also Read: The 5 Phases of Penetration Testing You Should Know

Personal, financial, and health information exposed in the attack

While AJG didn’t say in the SEC filing announcing the ransomware attack if any customer or employee data was accessed or stolen by the attackers, a subsequent investigation found multiple types of sensitive information stored on systems breached during the incident.

The types of information discovered on compromised systems during the review include: “Social Security number or tax identification number, driver’s license, passport or other government identification number, date of birth, username and password, employee identification number, financial account or credit card information, electronic signature, medical treatment, claim, diagnosis, medication or other medical information, health insurance information, medical record or account number, and biometric information.”

To further illustrate the types of sensitive data that might’ve gotten accessed in the incident, AJG says in its privacy policy that it collects the following info from customers:

• personal details (e.g., name, date of birth);
• contact details (e.g., phone number, email address, postal address or mobile number);
• government-issued identification details (e.g., social security and national insurance numbers, passport details);
• health and medical details (e.g., health certificates);
• policy details (e.g., policy numbers and types);
• bank details (e.g., payment details, account numbers, and sort codes);
• driving license details;
• online log-in information (e.g., username, password, answers to security questions);
• information relating to any claims;
• other information received from applications or required questionnaires (e.g., occupation, current employer);

AJG is now notifying data regulatory authorities and all potentially impacted individuals (7,376 according to information provided to the Office of Maine’s Attorney General) as required by law.

The company is also warning affected individuals of identity theft risks and recommends keeping an eye out for unusual activity on their account statements and credit reports.

While Gallagher is not aware of any attempted or actual misuse of the impacted information, Gallagher is providing access to credit monitoring services for twenty-four months through Kroll to individuals whose personal information was affected by this incident, at no cost to these individuals. — AJG

AJG shut down all systems to block the attack

AJG said in an 8-K filing with the U.S. Securities and Exchange Commission (SEC) on September 28, 2020, that only a limited number of its internal systems were affected by the ransomware attack.

“We promptly took all of our global systems offline as a precautionary measure, initiated response protocols, launched an investigation, engaged the services of external cybersecurity and forensics professionals, and implemented our business continuity plans to minimize disruption to our customers,” AJG said.

Also Read: Got Hacked? Here Are 5 Ways to Handle Data Breaches

The company didn’t reply to any of BleepingComputer’s attempts to reach out for more info on how the attackers breached its network.

However, Bad Packets’ chief research officer Troy Mursch said they had two F5 BIG-IP servers on their network vulnerable to CVE-2020-5902 before the ransomware attack.

At the moment, the ransomware gang behind this attack is still unknown. Still, more than 20 different ransomware operations are known to first steal sensitive files from victims’ servers before deploying their payloads.

This stolen data is used as leverage to force compromised organizations into paying ransoms under the threat of gradually leaking the info.

In some cases, the ransomware gangs are also increasing the ransom until the entire batch of stolen files is leaked on sites specifically designed for this exact purpose.