Following the ransomware attack insurance giant CNA face in March, the company is now notifying customers of a data breach stemming from the Phoenix Cryptolocker.
In a letter notifying customers of the breach, CNA revealed that “the threat actor accessed certain CNA systems at various times from March 5, 2021, to March 21, 2021”. According to the breach information filed with the office of Maine’s Attorney General the company reports that the data breach affected about 75,349 individuals.
In an attempt to restore confidence and protect its customers the company is offering 24 months of complimentary credit monitoring and fraud protection through Experian’s IdentityWorks. CNA has also opened a toll-free hotline for people to enquire about the incident.
Recovering from a major incident
In the attack carried on 21 March, Phoenix Cryptolocker threat actors encrypted about 15,000 devices since they deployed the ransomware payload on CNA’s systems. Even the remote workers’ systems that were logged into the company’s VPN were encrypted.
The Pheonix Locker is believed to be developed by the Evil Corp hacking group based on code similarity. The FBI has been notified and is cooperating with CNA to help conduct their investigation.
While the company was able to restore their servers and claimed to be a “fully-restored state”. Since then, after discovering the data breach and going through the files involved, the company discovered that stolen files contained personal information, including names and social security numbers.
More specifically, the threat actor was able to access CNA’s servers between 5 March to 21 March and copied a ‘limited amount of information before the ransomware was actually deployed.
CNA claims to have been “able to quickly recover that information and there was no indication that the data was viewed, retained or shared.”