Cyber Incident Victim: Hiscox Group
Date:
Dec 2018
Location:
United States of America
Summary
A hacker group breached a law firm advising Hiscox Group, stealing sensitive documents related to 9/11 insurance litigation and threatening public release unless ransom demands were met. The attackers claimed possession of 18,000 files, leveraging conspiracy theories around the attacks to amplify pressure, while encrypting the data and threatening incremental decryption key releases. They also attempted to extort individuals and organizations named in the documents, offering exclusion from leaks for separate payments. The compromised data included communications involving insurers, legal firms, and government agencies. Hiscox confirmed the breach originated at the external law firm, emphasized its own systems remained unaffected, notified impacted policyholders, and collaborated with international law enforcement agencies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 31, 2018, the hacker group known as The Dark Overlord publicly announced it had breached a US-based law firm that provided legal services to Hiscox Syndicates Ltd, Lloyds of London, Silverstein Properties, and other insurers involved in litigation related to the September 11 attacks. The group claimed to have stolen approximately 18,000 documents containing sensitive information about 9/11 insurance claims and threatened to gradually release decryption keys for a 10GB encrypted archive of these files unless victims paid an undisclosed ransom in Bitcoin. The attackers specifically cited Hiscox and Lloyds of London as major insurers involved in World Trade Center policies, leveraging conspiracy theories around the attacks to amplify pressure. Hiscox Group confirmed the breach occurred at an external law firm advising them on 9/11-related litigation, clarifying that their own IT systems remained uncompromised and disconnected from the law firm's infrastructure. The compromised data potentially affected up to 1,500 US-based commercial insurance policyholders of Hiscox, as previously disclosed by the law firm in April 2018 following the initial breach discovery.
The Dark Overlord escalated its extortion campaign by publishing a selection of stolen documents—including emails, letters, and communications mentioning law firms, the TSA, and FAA—to demonstrate credibility while threatening sequential data releases. The group expanded its tactics beyond media pressure by offering to sell the full dataset on dark web forums and soliciting individual payments from politicians, law enforcement agencies, and legal professionals named in the documents to suppress their information from public release. Hiscox responded by notifying affected policyholders upon learning of the breach and coordinating with UK and US law enforcement agencies. The hackers maintained an aggressive posture, warning that each decryption key release would expose new liability layers for victims. Despite the law firm’s prior breach disclosure in April 2018, The Dark Overlord’s New Year’s Eve announcement marked a renewed effort to monetize the stolen 9/11 litigation materials through coordinated blackmail, public data dumps, and psychological exploitation of historical event conspiracies.