Two US Insurance Companies Warn of Data Breach After SIM-Swapping Attack
Two US insurance companies are warning that thousands of individuals’ personal information may have been stolen after hackers compromised computer systems.
Washington National Insurance and Bankers Life, both subsidiaries of the CNO Financial Group, were targeted by SIM-swapping hackers in November 2023.
SIM-swapping attacks involve fraudsters tricking customer support staff at a cellphone operator into giving them control of someone else’s phone number. This allows the fraudster to receive the victim’s phone calls and SMS messages, including two-factor authentication tokens.
A breach notification letter sent by Washington National Insurance to 20,360 affected individuals explains that a SIM-swapping attack on a “senior officer’s phone number” allowed the hackers to bypass multi-factor authentication.
The company warned that personal information including names, social security numbers, dates of birth, and policy numbers may have been compromised.
Bankers Life sent a nearly identical breach notification letter to 45,842 individuals.
In short, the personal information of some 66,000 people is now in the hands of cybercriminals, who may use it for fraud or further attacks.
SIM swap attacks have been used by cybercriminals to break into systems without authorization, whether to plant ransomware, exfiltrate data, or pilfer cryptocurrency.
SMS-based two-factor authentication is less secure than authentication apps with time-based one-time passwords (TOTP) or hardware keys. Yet companies still leave themselves open to SIM-swapping.
Both insurance companies should clearly talk to their cellphone provider about preventing a similar accident from occurring again. Organizations and individuals should also avoid linking accounts to their phone number and add additional layers of security to their cellphone accounts to make it harder for a criminal to trick a cellphone operator into handing over a number.
