In a filing with the SEC late last week, life and supplemental health insurance provider Globe Life disclosed a data breach impacting the information of its consumers and policyholders.
The company said after an inquiry from a state insurance regulator, it launched an investigation into “potential vulnerabilities related to access permissions and user identity management for a Company web portal”, which showed that the vulnerabilities likely allowed unauthorized access to consumer and policyholder data.
Globe Life removed external access to the compromised portal it believes the issue is isolated to. The company does not anticipate operations to be significantly impacted.
According to its website, Globe Life companies have more than 17 million policies.
This comes during the aftermath of the UnitedHealthcare February attack, one of the worst to hit American healthcare impacting an estimated 50% of U.S. medical claims.
Experts with Cyware and Horizon3.AI offer perspectives on the matter.
Stephen Gates, Principal Security SME, Horizon3.AI had this to say:
“In this scenario, it seems that a web portal was likely there to allow third-parties, agents, or employees to remotely access insurance information, initiate new applications, potentially make claims, and so on. It is also likely that two-factor authentication (2FA) was not implemented, as indicated by the mention of “potential vulnerabilities related to access permissions and user identity management.
“Typically, a portal provides access to information stored in a database within the network. If an attacker gained access to the portal, it would generally imply they could access the data stored in that database. While there isn’t sufficient evidence to suggest that the attacker moved laterally within the network, there are indications of a potential breach involving confidential data.
“I would suggest looking for any information that may have been logged by the web portal in the context of activities that would suggest a breach of information. This is one of the reasons why logging user activities are always recommended.”
Emily Phelps, Director, Cyware follows with this comment:
“When dealing with potential vulnerabilities in web portals, detaching the portal from the network can be a quick mitigation step, but it’s often more complex. There’s always a chance of lateral movement, especially if the attacker had time to explore the network before detection. It’s crucial to conduct a thorough investigation to understand the extent of the breach and whether any data was exfiltrated or manipulated.
“The depth of the information stolen and the exact nature of the breach—whether it involves ransomware or not—can impact the company’s response and regulatory obligations. Companies often report breaches to demonstrate transparency and compliance, but the material impact can vary widely.
“The SEC has been progressively tightening regulations around data breaches and cybersecurity. As breaches continue to occur, we can expect even stricter oversight and requirements for companies to implement robust cybersecurity measures and provide timely, detailed disclosures.
“In general, these incidents highlight the need for continuous improvement in cybersecurity practices, particularly in access permissions and user identity management, to prevent unauthorized access and minimize potential damage from breaches.”
No breach is good. But this one seems really bad based on scale alone. Until companies get their heads around looking holistically at their security, this sort of thing will unfortunately keep happening.
Related
This entry was posted on June 19, 2024 at 9:38 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Globe Life insurance investigates data breach due to permission and identity vulnerabilities
In a filing with the SEC late last week, life and supplemental health insurance provider Globe Life disclosed a data breach impacting the information of its consumers and policyholders.
The company said after an inquiry from a state insurance regulator, it launched an investigation into “potential vulnerabilities related to access permissions and user identity management for a Company web portal”, which showed that the vulnerabilities likely allowed unauthorized access to consumer and policyholder data.
Globe Life removed external access to the compromised portal it believes the issue is isolated to. The company does not anticipate operations to be significantly impacted.
According to its website, Globe Life companies have more than 17 million policies.
This comes during the aftermath of the UnitedHealthcare February attack, one of the worst to hit American healthcare impacting an estimated 50% of U.S. medical claims.
Experts with Cyware and Horizon3.AI offer perspectives on the matter.
Stephen Gates, Principal Security SME, Horizon3.AI had this to say:
“In this scenario, it seems that a web portal was likely there to allow third-parties, agents, or employees to remotely access insurance information, initiate new applications, potentially make claims, and so on. It is also likely that two-factor authentication (2FA) was not implemented, as indicated by the mention of “potential vulnerabilities related to access permissions and user identity management.
“Typically, a portal provides access to information stored in a database within the network. If an attacker gained access to the portal, it would generally imply they could access the data stored in that database. While there isn’t sufficient evidence to suggest that the attacker moved laterally within the network, there are indications of a potential breach involving confidential data.
“I would suggest looking for any information that may have been logged by the web portal in the context of activities that would suggest a breach of information. This is one of the reasons why logging user activities are always recommended.”
Emily Phelps, Director, Cyware follows with this comment:
“When dealing with potential vulnerabilities in web portals, detaching the portal from the network can be a quick mitigation step, but it’s often more complex. There’s always a chance of lateral movement, especially if the attacker had time to explore the network before detection. It’s crucial to conduct a thorough investigation to understand the extent of the breach and whether any data was exfiltrated or manipulated.
“The depth of the information stolen and the exact nature of the breach—whether it involves ransomware or not—can impact the company’s response and regulatory obligations. Companies often report breaches to demonstrate transparency and compliance, but the material impact can vary widely.
“The SEC has been progressively tightening regulations around data breaches and cybersecurity. As breaches continue to occur, we can expect even stricter oversight and requirements for companies to implement robust cybersecurity measures and provide timely, detailed disclosures.
“In general, these incidents highlight the need for continuous improvement in cybersecurity practices, particularly in access permissions and user identity management, to prevent unauthorized access and minimize potential damage from breaches.”
No breach is good. But this one seems really bad based on scale alone. Until companies get their heads around looking holistically at their security, this sort of thing will unfortunately keep happening.
Share this:
Like this:
Related
This entry was posted on June 19, 2024 at 9:38 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.