One of the US’s largest insurance companies reportedly paid $40 million to ransomware hackers

[CyberTech]

Content source

https://www.theverge.com/2021/5/20/22446388/cna-insurance-ransomware-attack-40-million-dollar-ransom

CNA Financial, one of the largest US insurance companies, paid $40 million to free itself from a ransomware attack that occurred in March, according to a report from Bloomberg. The hackers reportedly demanded $60 million when negotiations started about a week after some of CNA’s systems were encrypted, and the insurance company paid the lower sum a week later.

If the $40 million figure is accurate, CNA’s payout would rank as one of the highest ransomware payouts that we know about, though that’s not for lack of trying by hackers: both Apple and Acer had data that was compromised in separate $50 million ransomware demands earlier this year. It also seems like the hackers are looking for bigger payouts: just this week we saw reports that Colonial Pipeline paid a $4.4 million ransom to hackers. While that number isn’t as staggering as the demands made to CNA, it’s still much higher than the estimated average enterprise ransomware demand in 2020.

 

[Stopspying]

"Back in March, insurance firm CNA Hardy had much of its IT system knocked out by a ransomware attack, and sensitive data stolen.
That’s not a good look for a firm that sells cyber insurance.

And what’s also pretty ugly is that Bloomberg reports that CNA chose to pay an eye-watering $40 million to the cybercrime gang that launched the ransomware attack.
Jeepers!

As security researcher Kevin Beaumont adroitly points out on Twitter, it’s makes one raise an eyebrow at some of the things CNA Hardy has said in the past on the topic of ransomware.

“A ransomware attack can have a devastating impact on business. Developing a breach plan and knowing what steps to take in the event of an attack could help save a business.” – Brian Robb, CNA.

He’s not wrong.

(According to his LinkedIn profile, Robb left CNA Hardy last month to start a job as head of cyber at a different insurance firm. One imagines it might have looked better on his resume if he had moved on before the ransomware attack occurred, but never mind. Timing is everything.)

Meanwhile, CNA Hardy says that all of its cyber policy holders automatically get something called CNA CyberPrep. What’s that you ask?

CNA CyberPrep, built on nearly two decades of cyber insurance expertise, is a proactive program of cyber risk services developed by CNA Risk Control and CNA Cyber insurance underwriters in partnership with leading cybersecurity specialists. It is designed to aid CNA cyber policyholders in cyber threat identification, mitigation and response.

A cynic might suggest that if CNA cannot protect itself, then it’s unlikely it will be able to do the job for its clients."

Cyber insurance giant CNA paid out $40 million to its ransomware attackers

Yes, you read that correctly. FORTY MILLION DOLLARS.

grahamcluley.com

CNA have a massive PR job on their hands to keep themselves viable it appears. I tried following the LinkedIn link in this article to see where Brian Robb, the former CNA man quoted in the article, moved to. It could just be that the LinkedIn link wasn't working when I tried it, or it could be that Brain Robb has decided it is time to lie low for a while and become LinkedOUT.