Cyber Incident Victim: American Family Insurance

On or around October 1, 2023, American Family Insurance detected unusual activity within a portion of its network. This detection initiated the company's response to a cybersecurity incident. The nature of this unusual activity was not publicly specified, but its identification prompted immediate precautionary measures from the company's security team. The primary objective of these initial actions was to protect the firm's data and its various technological resources from potential compromise or exfiltration. As a direct consequence of these protective steps, the decision was made to proactively shut down several key business systems to contain the incident and prevent any potential spread of the detected activity to other areas of the network.

The shutdown of these business systems resulted in significant operational outages that began to impact the company's customers, its network of agents, and its employees. These outages disrupted normal business functions and service delivery, though the full extent and specific nature of the service interruptions were not detailed in public statements. The company acknowledged the impact these disruptions were having and expressed appreciation for the patience and understanding of those affected while its teams worked to resolve the situation. The investigation into the incident commenced immediately upon detection and was characterized as ongoing. This investigative effort involved a combination of the company's own internal cybersecurity experts as well as third-party experts brought in to assist with the analysis and response.

A central point of the investigation involved determining the scope and depth of the network intrusion. In its initial public communications, American Family Insurance stated that, to date, its investigation had not detected any compromises to what it classified as critical business systems. Furthermore, it reported that its customer data processing and storage systems also showed no signs of having been compromised at that stage in the investigative process. This indicated that the precautionary shutdowns, while causing operational disruption, may have successfully isolated the unusual activity to non-critical segments of the enterprise network. The company confirmed that several components of its larger enterprise were able to continue operating without any interruption, suggesting a segmented network architecture that helped limit the blast radius of the incident.

The company's stated plan was to methodically return its shut-down systems to normal operation only after its investigative and safeguarding efforts were complete. This approach prioritized security over expediency, indicating a response strategy focused on ensuring that all affected systems were thoroughly investigated, cleaned if necessary, and fortified with additional safeguards before being re-integrated into the live production environment. This process was understood to be deliberate to prevent any recurrence of the issue or any secondary incidents resulting from the initial attack. The duration of the outages and the timeline for full restoration of all services were not immediately disclosed, as the company focused on the careful and phased return of systems. The incident at American Family Insurance occurred during the same general timeframe as other significant cyber incidents affecting major companies in the region, notably a separate cyberattack against Kwik Trip that had been ongoing for several weeks and which that company had yet to resolve, providing a broader context of cybersecurity challenges for large enterprises during that period.