Insurance Identity theft: The weakest link

Anyone following the cybercrime landscape over the past two decades will be aware of one inalienable truth: online criminals will always go where there are people and money. Unfortunately, a side effect of the digital revolution has meant there are more online users and resultingly greater access to highly lucrative data everywhere today. The insurance industry is no different, thanks to the wealth of sensitive data that these companies store. According to Accenture, companies in the sector are hit on average by more than three successful attacks each month.

Credentials are a major weak link in the cybersecurity chain, allowing attackers to compromise customer and corporate accounts to commit identity theft, fraud, effect mass data breaches, and much more. To wrest the initiative back, insurers are encouraged to use threat intelligence to help proactively improve cyber-defense and reduce attacker dwell time.

A treasure trove of data

Insurance companies today are a treasure trove of highly sensitive personal and financial details. Some of it, such as healthcare information, could be used to blackmail individuals who would rather the details were not publicized. Other info could be accessed to enable straightforward identity theft – helping them hijack customer bank accounts or buy goods using stolen card details. Fraudsters could also log-in to insurance accounts, change the payee name and then make a series of fraudulent claims. In some countries, information on policyholders could even be used to choose wealthy targets for kidnapping and ransoming.

All of these threats boil down to that single source of weakness: compromised credentials. Banking Trojans are an increasingly popular means to harvest these log-ins from customers via Man in the Browser techniques. Malware can also be aimed at the insurance organization itself, in exploiting vulnerabilities in key systems. Phishing can achieve the same results, often without the need for malware at all. Social engineering of the victim through a trick message could be enough to convince a customer or employee to click through and hand over their log-ins. Or in brute force attacks the cyber-criminal may not even have credentials at all, but simply ‘guess’ them by trying huge numbers of variations via automated systems.

Once they have credentials, the bad guys can either hijack individual customer accounts for identity fraud, or gain access to key enterprise systems.

This is potentially even worse. If they get key network and system log-ins, attackers could theoretically locate and exfiltrate vast stores of customer data, including credentials, to sell on the dark web or use themselves.

Or they could access content management and social media accounts to deface with shock messages. Individual accounts could even be hacked to spread further malware or launch BEC attacks designed to trick finance staff into making large corporate fund transfers.

Insurance Credential Theft Impact

The bad news is that a typical insurance firm will face 113 targeted attempts to breach systems each year, with more than a third successful. Yet according to Accenture, 79% of executives in large insurers are confident in their security strategy. This false sense of security is hugely damaging to an industry already beset by major breaches.

Perhaps the most famous was a 2015 attack on Anthem Insurance which compromised personal data on 80 million customers. It was made possible after attackers got hold of key network credentials. That same year fellow US insurer Premera Blue Cross spilled details on 11m customers. Over one million CareFirst customers were hit by a similar heist.

If there were any doubt of the serious financial and reputational repercussions of a breach, these cases alone should focus the minds of insurance CEOs. The average cost of a data breach is pegged at $3.9m by IBM, although it can go far higher. Anthem agreed last year to pay a massive $115m to settle lawsuits brought against the firm following its breach, while another firm, Nationwide Mutual Insurance, agreed to pay $5.5m after a smaller incident. This isn’t to mention the cost of investigating, remediating and reporting the initial incident, any hit to share price, regulatory fines and long-term impact to the brand and customer loyalty.

On top of this, insurers now have the added regulatory cost of GDPR compliance, where fines can theoretically go as high as 4% of global annual turnover if the company has deemed to have seriously contravened the law.

Armed with insight

Some 61% of insurers claim it takes months to detect security breaches. This has got to change. Threat intelligence services can be trained to scour the surface, deep and dark web for signs of sensitive customer data, credentials and IP, indicating that there may have been a breach. Invest in threat feeds that provide real-time data and you have a fantastic asset which could help you take action to mitigate a breach before the stolen data has been sold or used.

In a similar way, threat intelligence can be used to scour the web for malware, including MitB attacks targeting specific insurers, so they can help better protect customers and their own cybersecurity infrastructure. Information on current phishing campaigns could even be leveraged to improve internal user training in how to spot attacks.

Layer this actionable insight up with other security best practices like multi-factor authentication, regular pen-testing and good password management, and you have the basis of a highly effective response to the mounting digital threats facing the insurance space.

Related Articles
  • To find out more on this topic, read our in-depth Credential Theft article on credential compromise and identity theft.
  • The Credential Theft Ecosystem report embodies this approach – it is designed to help organizations understand the lifecycle of a compromised credential and keep their organizations’ data safe.

The Credential Theft Ecosystem

Read free report
Demo Free Trial MSSP