Return of the Guru

Security Breach at The Hartford is a Dire Warning

Ara Trembly
Insurance Experts' Forum, April 7, 2011

If you thought that events like the Epsilon breach couldn’t happen here in our sleepy little industry, yesterday’s news should be a wakeup call.

IDG News online reported yesterday that hackers have broken into The Hartford insurance company and installed password-stealing programs on several of the company's Windows servers. Although the extent of the damage is said to be minimal, it has prompted The Hartford to launch a complete review of its security procedures, according to documents released in connection with the event that were posted earlier this week to the website of the Office of the New Hampshire Attorney General. (Editor’s note: INN has contacted The Hartford regarding this situation—read what they had to say here.) 

According to the documents, the company wrote a letter to authorities on March 10, although the breach was detected on Feb. 28 and the actual infection took place on Feb. 22. The carrier sent a warning letter sent last month to about 300 employees, contractors, and a handful of customers. The company said it discovered the infection in late February. Several servers were hit, including Citrix servers used by employees for remote access to IT systems, said IDG

“It was a very small incident,” said Debora Raymond, a company spokeswoman, in the online report. The victims were mostly company employees. Fewer than 10 customers were affected by the malware, the W32-Qakbot Trojan, she said. 

Qakbot has been around for about two years. Once installed, it spreads from computer to computer in the network, taking steps to cover its tracks as it logs sensitive data and opens up back doors for the hackers to access the network. The company also acknowledged that the virus has the potential to capture confidential data such as bank account numbers, Social Security numbers, user accounts/logins, passwords and credit card numbers.

While the size of this event was not significant, there are several disturbing signs here. First, The Hartford is reportedly still not sure of how its systems became infected. In a Q&A document given to employees, the company said, “Since the virus infiltrated our systems before our anti-virus software had the ability to detect it, The Hartford is conducting a complete investigation of its security procedures and will implement additional security measures to close the gaps we identified.”

It is also troubling that it took some six days for the company to realize that its systems had been breached—and another 10 days before authorities were contacted. A lot can happen in six days, and while the number of those affected may be small, their problems could be quite large. Perhaps even more concerning is the damage this does to the reputation of an insurer that counts on a rock-solid image of security to help sell its wares.

Debra Hampson, assistant VP and general counsel for The Hartford, told authorities in New Hampshire that her company has “no reason to believe that any information has been or will be misused.” That’s a dangerous statement given the fact that the origin of the attack is unknown and that the long-range consequences have yet to be seen. The Hartford, however, is stepping up and providing two years of free credit monitoring to the victims it has identified.  

For now, it is important to remember that what happened at The Hartford could easily have happened at any of the hundreds of other insurance companies. While you may be wiping your brow and thanking your lucky stars that this story was not about your company, try not to forget that the next breach could be right under your nose. An industry that thrives on assessing risk needs to take a look at its own profile and step up efforts to secure the sensitive information on our customers and our associates.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (1)

Spot on Ara. Some don't think this, but an insurance company is a financial institution, keeping vast amounts of sensitive information. We need to look to how banks and stock trading companies handle security.

Posted by: Chester G | April 8, 2011 11:20 AM

Report this Comment

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

The Good, The Bad and The Ugly Of Enterprise BI

When IT can't deliver, business users build their own applications focusing on agility, flexibility and reaction times.

The IT-Savvy 10%

IBM survey reveals best practices of IT leaders.

The Software-Defined Health Insurer: Radical But Realistic?

Can a tech startup digitally assemble the pieces of a comprehensive, employer-provided health plan?

Data Governance in Insurance Carriers

As the insurance industry moves into a more data-centric world, data governance becomes more critical for ensuring the data is consistent, reliable and usable for analysis.

Fear This

Just days before this Issue, which contains our security cover story, went to press, we got some interesting news: 1.2 billion unique usernames and passwords and 542 million email addresses were reportedly stolen from 420,000 websites, according to The New York Times. The websites ranged from Fortune 500 companies down to small online retailers.

Should You Back Up Enterprise Data to the Cloud?

Six questions that need to be asked before signing on with an outside service.