Insurance group Axa said one of its Asian business units has been the victim of a “targeted ransomware attack”, after a group of cyber criminals claimed to have seized troves of sensitive data from the company.
Axa Partners, an international arm of the Paris-based insurer, said on Sunday that parts of its Asian operations were “recently the victim of a targeted ransomware attack which impacted its operations in Thailand, Malaysia, Hong Kong, and the Philippines”.
In an apparent first for the industry, Axa said last week that it would suspend the writing of cyber insurance policies that refund the cost of ransom payments made to cyber cartels. The move, which was limited to the group’s French customers, came as insurers have been blamed by some officials for encouraging companies to pay out by offering such reimbursements.
A person familiar with the matter said the ransomware attack happened before Axa’s decision to change its approach.
Confirmation of the attack from Axa came after cyber criminals using ransomware called Avaddon said on Saturday that they had hacked the group’s Asia operations and stolen three terabytes of data, in a dark web post seen by the Financial Times.
The post said the data were taken from its units in Thailand, the Philippines, Hong Kong and Malaysia, and included customers’ personally identifiable information, medical records and claims, as well as data from hospitals and doctors.
It also included screenshots of IDs and passport pages, bank documents, hospital bills, and medical records of patients’ personal health conditions that the hackers appeared to be sharing as proof that they had compromised the company.
The affected operations sit within Asia Assistance, which provides emergency support services, including health, to other parts of the group. Axa Partners said data processed in a Thailand unit, Inter Partners Asia, had been compromised, adding “there is no evidence that any further data was accessed”.
“A dedicated task force with external forensic experts is investigating the incident,” the company added, saying regulators and business partners have been informed.
Axa said if it was the case that “sensitive data of any individuals have been affected, the necessary steps will be taken to notify and support all corporate clients and individuals impacted”.
AXA Philippines said on its Facebook page that it was having “technical issues” with its Emma by AXA PH app, its MyAXA web portal and its corporate website.
News of the hack comes a week after the high-profile ransomware hack of a crucial US pipeline caused East Coast fuel shortages. Ransomware attacks typically seize control of victims’ data or computer systems, only to release it if they pay a fee.
Like many cyber criminal cartels, Avaddon maintains the ransomware, and also rents it out to others via an affiliate programme, taking a cut of any proceeds from attacks. According to cyber security experts at Malwarebytes, the FBI last week issued a warning that an unnamed group was using Avaddon to escalate attacks against US and foreign private sector companies, manufacturing groups and healthcare agencies.
The Colonial Pipeline hack has reignited the debate over whether there should be a blanket ban on victims paying ransom. Both the White House and the FBI advise against paying extortion fees, arguing that it only provides an incentive for more blackmail activities and funds criminal activity.
However, some cyber security experts argue that organisations have little choice, and a ban could push the gangs towards more vulnerable targets, such as hospitals.
A typical cyber insurance policy would cover the ransom itself, services following the attack and data restoration or business interruption costs.
The latter is one of the “huge drivers” sending prices for cyber insurance higher, according to Sarah Stephens, head of cyber for the international division at insurance broker Marsh. The ease of launching attacks had caused an “epidemic” of ransomware incidents, she said.
Cyber insurance prices have surged in recent months as insurers pass on higher claims, with Aon, another broker, saying in March that big insurers were anticipating 20 per cent to 50 per cent rate increases throughout 2021.
“Attacks on insurers are particularly serious as the data that’s stolen can be used to attack their customers — possibly even before the insurer realises it’s been hit,” said Brett Callow, threat analyst at Emsisoft.
With additional reporting by Stefania Palma in Singapore and Primrose Riordan in Hong Kong and David Keohane in Paris