US insurer paid $40 million ransom after March cyber attack: report

One of the largest insurance companies in the U.S. reportedly paid $40 million in ransom in March to regain control of its network following a ransomware attack.

CNA Financial Corp. reportedly paid the hackers two weeks after a heap of company data was stolen, and employees of the company were locked out of their network, Bloomberg reported on Thursday, citing two people familiar with the attack.

In a statement to The Hill, CNA Financial Corp. said it would not comment on the ransom, but did contend that the company followed “all laws, regulation, and published guidance.” Additionally, the company said it consulted and shared intelligence with the FBI and the Treasury Department’s Office of Foreign Assets Control that related to the attack and the hacker’s identity.

“CNA is not commenting on the ransom, but the Company did consult and share intelligence with the FBI and OFAC regarding the cyber incident and the threat actor’s identity. CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter,” the company said in a statement.

The company identified a group called Phoenix as the perpetrators of the attack.

“Due diligence efforts concluded that the threat actor responsible for the attack is a group called Phoenix. Phoenix is not on any prohibited party list and is not a sanctioned entity,” the company said.

The company, according to an incident report posted to its website, discovered that it “sustained a sophisticated cybersecurity attack” that “caused a network disruption and impacted certain CNA systems” on March 21.

In a security incident update posted on May 12, CNA Financial said, based on a data review, that it does not believe “the Systems of Record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”

Information regarding the March CNA Financial Corp. cyber attack comes after another U.S. company, Colonial Pipeline, sustained a ransomware attack.

The company was forced to shut down operations earlier this month as a result of the attack.

On Wednesday, Colonial Pipeline CEO Joseph Blount told The Wall Street Journal that he authorized the company to pay the criminals the equivalent of $4.4 million in bitcoins on May 7, the day of the attack, for the keys to decrypt the network.

Updated at 5:07 p.m.