Cyber Incident Victim: One Call Insurance

On May 13, 2021, One Call Insurance, a Doncaster-based insurance firm, experienced disruption to its IT systems, later confirmed as a ransomware attack by the Darkside criminal group. The attackers deployed ransomware that displayed a message demanding £15 million in exchange for not publicly releasing stolen customer data, including passwords and bank details. One Call immediately engaged IT forensic specialists to investigate the incident and restore systems. The company prioritized rebuilding customer service systems in a new, secure environment to maintain support for existing clients. By May 21, One Call had not yet determined whether any data was exfiltrated or compromised during the attack. The incident was reported to the UK Information Commissioner’s Office (ICO) and relevant insurance industry regulators. One Call publicly apologized for service disruptions caused by the attack but did not disclose operational downtime duration or specific system vulnerabilities exploited.

The attack occurred amid heightened scrutiny of Darkside following its high-profile ransomware strike against Colonial Pipeline on May 7, 2021. Darkside had publicly announced its shutdown on May 14—one day after One Call’s compromise—but the Doncaster incident demonstrated the group’s continued operations despite this claim. Forensic investigators linked the ransomware to Darkside’s characteristic tactics, including Tor-based extortion threats and VMware ESXi hypervisor targeting observed in earlier campaigns. Security researchers previously associated Darkside’s infrastructure with Carbon Spider (Carbanak), a financially motivated cybercrime group active since the mid-2010s. One Call’s forensic team worked with authorities investigating the criminal organization, though no payment or data leakage was confirmed publicly. The company maintained customer services through its rebuilt environment while the original systems remained under investigation.