Return of the Guru

Security Breach at The Hartford is a Dire Warning

Ara Trembly
Insurance Experts' Forum, April 7, 2011

If you thought that events like the Epsilon breach couldn’t happen here in our sleepy little industry, yesterday’s news should be a wakeup call.

IDG News online reported yesterday that hackers have broken into The Hartford insurance company and installed password-stealing programs on several of the company's Windows servers. Although the extent of the damage is said to be minimal, it has prompted The Hartford to launch a complete review of its security procedures, according to documents released in connection with the event that were posted earlier this week to the website of the Office of the New Hampshire Attorney General. (Editor’s note: INN has contacted The Hartford regarding this situation—read what they had to say here.) 

According to the documents, the company wrote a letter to authorities on March 10, although the breach was detected on Feb. 28 and the actual infection took place on Feb. 22. The carrier sent a warning letter sent last month to about 300 employees, contractors, and a handful of customers. The company said it discovered the infection in late February. Several servers were hit, including Citrix servers used by employees for remote access to IT systems, said IDG

“It was a very small incident,” said Debora Raymond, a company spokeswoman, in the online report. The victims were mostly company employees. Fewer than 10 customers were affected by the malware, the W32-Qakbot Trojan, she said. 

Qakbot has been around for about two years. Once installed, it spreads from computer to computer in the network, taking steps to cover its tracks as it logs sensitive data and opens up back doors for the hackers to access the network. The company also acknowledged that the virus has the potential to capture confidential data such as bank account numbers, Social Security numbers, user accounts/logins, passwords and credit card numbers.

While the size of this event was not significant, there are several disturbing signs here. First, The Hartford is reportedly still not sure of how its systems became infected. In a Q&A document given to employees, the company said, “Since the virus infiltrated our systems before our anti-virus software had the ability to detect it, The Hartford is conducting a complete investigation of its security procedures and will implement additional security measures to close the gaps we identified.”

It is also troubling that it took some six days for the company to realize that its systems had been breached—and another 10 days before authorities were contacted. A lot can happen in six days, and while the number of those affected may be small, their problems could be quite large. Perhaps even more concerning is the damage this does to the reputation of an insurer that counts on a rock-solid image of security to help sell its wares.

Debra Hampson, assistant VP and general counsel for The Hartford, told authorities in New Hampshire that her company has “no reason to believe that any information has been or will be misused.” That’s a dangerous statement given the fact that the origin of the attack is unknown and that the long-range consequences have yet to be seen. The Hartford, however, is stepping up and providing two years of free credit monitoring to the victims it has identified.  

For now, it is important to remember that what happened at The Hartford could easily have happened at any of the hundreds of other insurance companies. While you may be wiping your brow and thanking your lucky stars that this story was not about your company, try not to forget that the next breach could be right under your nose. An industry that thrives on assessing risk needs to take a look at its own profile and step up efforts to secure the sensitive information on our customers and our associates.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (1)

Spot on Ara. Some don't think this, but an insurance company is a financial institution, keeping vast amounts of sensitive information. We need to look to how banks and stock trading companies handle security.

Posted by: Chester G | April 8, 2011 11:20 AM

Report this Comment

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Mobile Device Management – Find That Middle Ground

There's a tug of war over BYOD, but neither those in favor nor those against should tug too hard.

Vendors Embrace Mobile Technology

IT leaders at software firms clearly recognize the importance of mobility to drive their businesses forward. Almost 70 percent see mobility as mission critical or important to their organization today.

Digital Vision vs. Harsh Reality

Much work remains to reconcile insurers' digital vision with the digital reality that seems to be arriving for other industries.

Big Data Is Paying Off

Insurers are getting business benefit out of their big data projects, but these projects alone won't grow their business.

What Can Insurers Learn from Home Depot?

The latest cyber-attack highlights the importance of helping policy holders defend themselves.

Not Your Father’s Insurance Company

Carriers need to look at new and impactful ways to be there for their customers.