Erie Insurance and Philadelphia Insurance Still Recovering From Separate Attacks
Statements by Erie Indemnity Co. and Philadelphia Insurance Companies indicate that voluntary decisions to disconnect their systems from the network – not ransomware encryption – have disrupted operations over the past 10 days since the carriers were hit with separate cyberattacks.
See Also: SASE and Zero Trust: The Backbone of Integrated Security (eBook)
Both are continuing to warn customers of potential email and phone scams tied to their incidents.
Erie Indemnity – which does business as Erie Insurance – had filed a report to the U.S. Securities and Exchange Commission on June 11 telling regulators it was dealing with a cyber incident discovered on June 7 (see: Erie Insurance Tells SEC It’s Responding to Cyber Incident).
The company, in its latest public update about the incident on Tuesday, said it continues to “work around the clock to restore access for customers, agents and employees.”
“At this time, we have control of our systems,” Erie Insurance said. “We have seen no evidence of ransomware, and there is no indication of ongoing threat actor activity,” the company said.
“Upon detecting unauthorized activity, we took immediate action to contain the issue and have since implemented additional security measures to further strengthen our systems.”
Erie Insurance is also continuing to warn its customers about potential phone and email scams related to the incident.
“We encourage customers to follow best practices around personal security and notify their financial institutions of any unusual activity,” Erie said. “During this outage, Erie Insurance will not contact customers by phone or email to request payments. As always, do not click on any links from unknown sources or share your personal information via phone or email.”
While the company’s “protective actions” are ongoing, Erie Insurance’s local agents, claims and customer care teams are continuing to serve customers, the statement said.
As of Thursday, at least two proposed federal class action lawsuits had been filed against Erie Insurance involving the hack.
Similarly, Philadelphia Insurance Companies – which also includes Tokio Marine America and First Insurance Company of Hawaii – also said in an update Tuesday that it is working to restore full functionality following its recent network outage.
“Late on Monday, June 9, our IT security team received an alert regarding suspicious activity on our network,” Philadelphia Insurance said.
“In response, we chose to disconnect the network to contain the threat. The network shutdown caused a disruption to our operations, which we are in the process of resolving. We have reported the incident to law enforcement and have engaged third-party forensic experts to assist us,” the company said. No systems were encrypted in the incident. “This was not a ransomware event,” the company said.
“The network shutdown broadly impacted all company systems, including email, phone and online applications. The network shutdown was necessary to contain the threat and protect company systems and data,” Philadelphia Insurance said.
A forensic investigation is ongoing, including to determine if customer data was accessed, Philadelphia Insurance said.
“At this point, all of our systems have been secured and we are working to restore full functionality. Our claims hotlines remain available, and our customer service centers are resuming operations.”
Like Erie Insurance, Philadelphia Insurance is also warning customers of potential scam phone calls and emails. “As a precaution, we are reminding all customers to exercise caution when receiving any unsolicited emails or phone calls asking for personal information. Customers should not click on links from unknown sources.”
Customers that receive suspicious calls or other correspondence are urged not to provide any information and to contact Philadelphia Insurance’s customer service staff.
“The company is already taking steps to further strengthen its defenses and reduce the risk of future threats,” Philadelphia Insurance said.
Attack Trends
The two companies’ statements that so far neither Erie Insurance nor the Philadelphia Insurance have found evidence of ransomware encryption suggests the attacks instead potentially involved data theft, some experts said.
“The possibility of data exfiltration remains a concern, as threat actors can leverage stolen data for various malicious activities,” said Peter McMurtrie, a partner in consulting firm West Monroe’s insurance practice.
But at this time, the exact motives of the cybercriminals are unknown, said Keith Fricke, partner and principal consultant at tw-Security. “They may have intended to exfiltrate data for purposes of extortion. They could have also been interested in stealing data for identity theft purposes or sold the information to another criminal element,” he said.
“Insurance companies have a rich set of data criminals can use for identity theft, medical identity theft, email addresses, possibly credit card data and other useful information,” he said.
In any case, the potential number of individuals affected could be in the millions, given the size of both insurance companies and the vast amount of sensitive data they manage, McMurtrie said.
By focusing on data exfiltration, cybercriminals can achieve similar, if even greater, leverage and profitability with less technical effort than ransomware encryption and a lower risk of detection or disruption, McMurtrie said.
“That said, I would caution against overstating the decline of ransomware encryption. It remains a highly profitable tactic for many threat actors. The shift towards data exfiltration is an adaptation and an additional tactic within the evolving landscape of cybercrime.”
In the cyberattack on health insurer UnitedHealth Group in February 2024, attackers deployed ransomware on UHG’s IT service’s unit Change Healthcare’s systems. The company took more than 100 systems offline to contain the spread of malware, resulting in an outage that lasted for several months.
That incident also involved data exfiltration, resulting in the largest reported health data breach to date – affecting 190 million individuals.
Steps to Take
To be better prepared for such incidents, insurance companies should ensure they have well-defined incident response and business continuity plans in place, McMurtrie said.
“These plans should be communicated clearly across the organization and tested regularly,” he said. “Real-world incidents like what happened with Erie and Philadelphia Insurance can serve as excellent scenarios to test the quality of plans to address both potential breaches and ensure preparation for an extended period of system downtime.”
Defenses against falling victim to these types of incidents “comes down to all the general security block and – preventative measures,” Fricke said.
That includes email and web filtering; endpoint protection against malicious software; ensuring sensitive data are encrypted; maintaining current security patches on operating systems, databases and applications; detective measures such as event log collection and analysis; around the clock monitoring and alerting on suspicious activity, he said.
Organizations should periodically rehearse incident response plans, back-up data regularly and test restores, and provide consistent education and awareness for the workforce on ways to identify suspicious activity, spot and report phishing emails and understand security and privacy policies, Fricke said.
“Events like these reinforce the importance of regularly testing and running scenarios – something organizations should be doing consistently,” McMurtrie said.
