Security Breach at The Hartford is a Dire Warning

If you thought that events like the Epsilon breach couldn’t happen here in our sleepy little industry, yesterday’s news should be a wakeup call.

IDG News online reported yesterday that hackers have broken into The Hartford insurance company and installed password-stealing programs on several of the company's Windows servers. Although the extent of the damage is said to be minimal, it has prompted The Hartford to launch a complete review of its security procedures, according to documents released in connection with the event that were posted earlier this week to the website of the Office of the New Hampshire Attorney General. (Editor’s note: INN has contacted The Hartford regarding this situation—read what they had to say here.) 

According to the documents, the company wrote a letter to authorities on March 10, although the breach was detected on Feb. 28 and the actual infection took place on Feb. 22. The carrier sent a warning letter sent last month to about 300 employees, contractors, and a handful of customers. The company said it discovered the infection in late February. Several servers were hit, including Citrix servers used by employees for remote access to IT systems, said IDG

“It was a very small incident,” said Debora Raymond, a company spokeswoman, in the online report. The victims were mostly company employees. Fewer than 10 customers were affected by the malware, the W32-Qakbot Trojan, she said. 

Qakbot has been around for about two years. Once installed, it spreads from computer to computer in the network, taking steps to cover its tracks as it logs sensitive data and opens up back doors for the hackers to access the network. The company also acknowledged that the virus has the potential to capture confidential data such as bank account numbers, Social Security numbers, user accounts/logins, passwords and credit card numbers.

While the size of this event was not significant, there are several disturbing signs here. First, The Hartford is reportedly still not sure of how its systems became infected. In a Q&A document given to employees, the company said, “Since the virus infiltrated our systems before our anti-virus software had the ability to detect it, The Hartford is conducting a complete investigation of its security procedures and will implement additional security measures to close the gaps we identified.”

It is also troubling that it took some six days for the company to realize that its systems had been breached—and another 10 days before authorities were contacted. A lot can happen in six days, and while the number of those affected may be small, their problems could be quite large. Perhaps even more concerning is the damage this does to the reputation of an insurer that counts on a rock-solid image of security to help sell its wares.

Debra Hampson, assistant VP and general counsel for The Hartford, told authorities in New Hampshire that her company has “no reason to believe that any information has been or will be misused.” That’s a dangerous statement given the fact that the origin of the attack is unknown and that the long-range consequences have yet to be seen. The Hartford, however, is stepping up and providing two years of free credit monitoring to the victims it has identified.  

For now, it is important to remember that what happened at The Hartford could easily have happened at any of the hundreds of other insurance companies. While you may be wiping your brow and thanking your lucky stars that this story was not about your company, try not to forget that the next breach could be right under your nose. An industry that thrives on assessing risk needs to take a look at its own profile and step up efforts to secure the sensitive information on our customers and our associates.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

For reprint and licensing requests for this article, click here.
Analytics Security risk Data and information management Policy adminstration Data security
MORE FROM DIGITAL INSURANCE