Two US insurance coverage corporations are warning that hundreds of people’ private data might have been stolen after hackers compromised laptop techniques.
Washington Nationwide Insurance coverage and Bankers Life, each subsidiaries of the CNO Monetary Group, had been focused by SIM-swapping hackers in November 2023.
As we have described earlier than, SIM-swapping assaults contain fraudsters tricking buyer help workers at a cellphone operator into giving them management of another person’s telephone quantity. This permits the fraudster to obtain the sufferer’s telephone calls and SMS messages, together with two-factor authentication tokens.
In some circumstances, SIM-swappers hijack telephone numbers with the assistance of a rogue insider on the cellphone firm.
A breach notification letter despatched by Washington Nationwide Insurance coverage to twenty,360 affected people explains {that a} SIM-swapping assault on a “senior officer’s telephone quantity” allowed the hackers to bypass multi-factor authentication.
The corporate warned that private data together with names, social safety numbers, dates of delivery, and coverage numbers.
Bankers Life despatched an almost similar breach notification letter to 45,842 people.
In brief, the non-public data of some 66,000 individuals is now within the fingers of cybercriminals, who might use it for fraud or additional assaults.
What I discover significantly alarming is that SIM swap assaults aren’t new. Criminals use this technique to interrupt into techniques with out authorisation, whether or not to plant ransomware, exfiltrate information, or pilfer cryptocurrency.
SMS-based two-factor authentication is much less safe than authentication apps with time-based one-time passwords (TOTP) or {hardware} keys. But corporations nonetheless depart themselves open to SIM-swapping.
With SIM-swapping so prevalent and simple for criminals to tug off, organizations and people ought to keep away from linking accounts to their telephone quantity. They need to additionally add further layers of safety to their cellphone accounts to make it tougher for a criminal to trick a cellphone operator into handing over a quantity.
Each insurance coverage corporations ought to clearly speak to their cellphone supplier about stopping the same accident from occurring once more.
