Erie Insurance said it has “seen no evidence of ransomware and there is no indication of ongoing threat actor activity” in a June 17 update on its 10-day long network outage.
That statement would appear to contradict claims in two class action lawsuits filed against the insurer. Both lawsuits claimed a ransomware group accessed the insurer’s network and there was a a data breach.
Erie has also not acknowledged any data breach.
“At this time, we have control of our systems,” the insurer reported. The company said it continues to work with cybersecurity experts around the clock to restore access for customers, agents and employees.
“Unfortunately, incidents like this are becoming increasingly sophisticated and can impact even the most well-protected organizations. Upon detecting unauthorized activity, we took immediate action to contain the issue and have since implemented additional security measures to further strengthen our systems,” the statement said.
One of the lawsuits was filed by an Illinois customer, Neil Plascencia; the other by Amy Haas, a former Erie employee who lives in Wisconsin. Both claim Erie Insurance was negligent in not protecting their personally identifiable information (PII) and each seeks $5 million in damages.
Both actions assert that a ransomware group accessed Erie’s information network on June 7 and that there was a data breach.
According to a report attributed to Google Threat Intelligence Group, the cybercrime group Scattered Spider could be behind Erie’s woes given the timing, although this has not been confirmed. Google has warned insurers that Scattered Spider, which had been attacking retailers in the U.S. and U.K., appears to be now going after insurers.
The insurer has said only that on Saturday, June 7, its information security team identified unusual network activity and the company took immediate action to safeguard its systems and data. The insurer’s systems have been down since then. Phone, email, and online applications have been affected by the outage.
Plaintiff Plascencia maintains he received an emailed letter from Erie in June notifying him that a security incident exposed his PII to criminals.
A spokesperson said the insurer does not comment on pending litigation.
Requests for comment from the lawyers for the class actions have not yet been answered.
Erie Insurance encouraged customers to follow best practices around personal security and notify their financial institutions of any unusual activity.
Topics
Cyber
Interested in Cyber?
Get automatic alerts for this topic.
