Details were scant at the time of the attack, and while CNA acted very efficiently – immediately engaging a team of third-party forensic experts to investigate and determine the full scope of the incident, as well as engaging with law enforcement – it was uncertain whether any corporate or client data was exfiltrated.
It was soon revealed that CNA’s systems were infected with ransomware. In May, two sources who asked not to be identified because they lacked authorisation to discuss the matter, told Bloomberg that CNA had paid a $40 million ransom to hackers for the release of its systems and data.
At the time, CNA spokesperson Cara McCall said: “CNA is not commenting on the ransom. CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
On Friday, July 09, the insurer announced it had concluded its investigation into the cybersecurity incident. The firm announced: “The investigation determined that the threat actor accessed certain CNA systems at various times from March 05, 2021 to March 21, 2021. During this time period, the threat actor copied information before deploying the ransomware.
“However, CNA was able to quickly recover that information and there was no indication that the data was viewed, retained or shared. Therefore, there is no reason to suspect the information has or will be misused, or that there is any risk of harm to individuals resulting from this incident.”
To provide policyholders with extra peace of mind, CNA is providing notice of the incident to individuals based on the personal information in the temporarily obtained data – the majority of whom are current and former employees, contract workers and their dependents. CNA is also offering 24 months of complimentary credit monitoring services to affected individuals in the US, alongside a toll-free hotline through Experian, which people can call if they have questions about the incident or the services the insurer is offering.
The statement from CNA concluded: “Our forensic investigation revealed no indication that CNA or its policyholder data was specifically targeted by this threat actor. Since the incident, CNA has implemented numerous additional measures designed to enhance the security of its network, systems, and data. The security of the personal information in our care is important to us and we thank our stakeholders for their continued trust in CNA and for their patience as we navigated this incident and conducted a diligent, thorough review.”
The ransomware attack against CNA is proof that no organisations – even those that are home to cybersecurity experts– are fully secure in today’s evolving cyber threat landscape. As Chris Clements, VP of solutions architecture at cybersecurity firm Cerberus Sentinel, pointed out: “The vast majority of organisations are only a mistake or two away from suffering [an attack]” even if they do security well.
“Ransomware operators are no longer content with simply encrypting systems and calling it a day, Clements added. “It’s commonplace now for a breach to involve exfiltration of any and all data cybercriminals can get their hands on whether to hold as a secondary extortion or to sell to the highest bidder on the dark web. A solid backup and restore strategy alone is no longer sufficient for ensuring that an organisation will survive a compromise unscathed. Once data has been stolen there is no guarantee that it won’t be resold or even dumped for free by threat actors.”
According to Clements, true resiliency to cyberattacks must come from “adopting an organisation wide culture of security” centred around prevention and detection of cyber threats. He said: “Culture must start at the top with the understanding of the risks and commensurate commitment to the effort required to ensure that everything possible is being done to protect both the organisation and its customers.”