Farmers Insurance, one of the country’s largest insurers of homes, vehicles, and small businesses, revealed late last week that it has fallen prey to a third-party cyberattack which could have exposed the sensitive data of 1.1 million customers.
“We recently discovered that an unauthorized third party briefly accessed a vendor’s system that contained some Farmers’ customer information,” the company said in a statement shared with Newsweek. “The incident involved only limited information from certain customers.”
While the consequences for affected customers are not yet clear, the data breach exposes the vulnerability of insurance companies and their customers to such attacks. Farmers serves about 10 million households around the country and counts 19 million insurance policies nationwide, according to Insurance Business Mag, covering vehicles, homes, life, and commercial activities.
What Do We Know About The Cyberattack?
The data breach was notified by both Farmers New World Life Insurance and Farmers Group, its parent company, with filings to state regulators. A filing from Farmers New World Life Insurance to the Maine Attorney General’s Office said that 40,000 individuals were affected by the data breach; another filing from Farmers Group said that as many as 1,071,172 policyholders were impacted.
Crucially, the data breach occurred about three months ago, long before Farmers disclosed the cyberattack with a notice on its website. Farmers said it was not directly targeted, but that it was informed by a third-party vendor on May 30 that a database containing Farmers’ policyholders information had been accessed illegally the day before.
“There’s still a lot that’s unknown,” West Monroe’s cyber expert Christina Powers told Newsweek. “Even though this breach happened three months ago now, Farmers just made it public and started notifying people in the last couple of days or couple of weeks,” she said.
“What we have heard from them is that attackers were able to access a database with their information that was kind of under control or management of a third party. We don’t know who that was,” Powers added.
“There’s speculation out there, but that’s all we know. I think that they’re keeping a lot of the details closely guarded. It could have been something like what we’ve seen with other insurance companies, where someone was successfully able to fish credentials and then use those credentials to legitimately gain access [to the company’s database], but there’s just a lot that’s unknown.”
What Data Was Compromised?
According to Farmers, among the information compromised in the breach there are customers’ names, addresses, dates of birth, driver’s license numbers, and the last four digits of their Social Security numbers.
“That can be used to commit things like identity fraud,” Powers said. “It can be used to commit more targeted attacks against individuals or entities, with information that’s known about them. And so ultimately the goal here is some sort of financial or monetary gain for the attackers.”
The company said that while it is not aware of any personal information involved in the incident being misused, it encourages individuals “to remain vigilant against instances of identity theft and fraud by reviewing financial account statements and credit reports for any anomalies, and to notify their financial institution of any unauthorized transactions or suspected identity theft.”
Why Attacking Insurance Companies?
Farmers is not the first American insurance company to reportedly be victim of a data breach in recent months. Allianz Life Insurance Company of North America reported a major breach in July, which prompted a class-action lawsuit against the company for failing to protect customer data.
“We are seeing the industry targeted by attackers, just given how much sensitive information there is,” Powers said. “They’ve got PII [personally identifiable information], things like birthdays, addresses, driver’s license, Social Security numbers, and so on,” she added.
“All of that can be very valuable to attackers either for direct financial gain—identity fraud, impersonation—or to then be used to conduct further cyberattacks with the data that they’re able to access either on individuals or business entities that may be insured by these companies.”
Powers wouldn’t be surprised, she said, if there were more insurers that still haven’t disclosed being victims to attacks or that attackers are still going after.
In terms of what insurance companies are doing or how well prepared they are to face these new challenges, Powers thinks that it is difficult for companies to “stay on top” of these cyberattacks, “especially with the interconnection of how many third parties are involved, how many different platforms they’re using to conduct business, how the data flows,” she said.
“The attack surface for the insurance industry is very broad. I think there are some basic things that insurance companies can be doing, making sure that they’ve got an understanding of where all of their data is and how it’s being protected,” Powers said.
“And then the combination of having cyber controls in place to limit who has access to what, as well as having the monitoring that’s able to flag things that look anomalous or suspicious, like in this case.”
What Is Farmers Doing About It?
A spokesperson for Farmers told Newsweek that an investigation on the data breach is ongoing.
“An investigation—conducted with both internal and external security experts—found no evidence that the exposed data has been misused, nor any indication that Farmers’ own systems were compromised,” the company said in a statement. “We are contacting affected individuals directly and are providing support resources, including complimentary credit monitoring.”
Farmers is also offering free credit monitoring services to affected customers for 24 months.
But the data breach also shifted attention toward Farmers itself. Schubert Jonckheer & Kolbe, a law firm representing shareholders, employees and consumers in class action lawsuits, said it is investigating the breach and whether Farmers violated state and federal laws by waiting so long to inform affected customers.
When a cyberattack occurs, there is a reputational risk for affected companies, West Monroe’s insurance industry lead Peter McMurtrie told Newsweek.
“One thing is simply having your name out there for having been breached,” he said. “But then I think a second component is just that reputational risk of how quickly you’re acting in defense of your policyholders and protecting them. We’ll see how this plays out with Farmers and what the lasting impact of that reputational risk is.”
The post Farmers Insurance Data Breach Impacts 1 Million Americans: What To Know appeared first on Newsweek.
