Cyber Incident Victim: Kingfisher Insurance Company

On or around October 8, 2022, Kingfisher Insurance experienced unauthorized access to its IT systems. The breach became public knowledge when the LockBit ransomware group listed Kingfisher on its data leak site on Monday, October 17, 2022, threatening to release stolen data unless unspecified demands were met. LockBit affiliates claimed to have exfiltrated 1.4 terabytes of company data, which they alleged included sensitive personal information belonging to employees and customers. Kingfisher promptly acknowledged the intrusion but contested the scale and severity asserted by the attackers. The company initiated an investigation with third-party cybersecurity specialists to assess the incident’s scope and origin. Initial findings from this investigation indicated that only a limited number of non-sensitive files had been copied during the breach. No operational disruptions or system functionality impairments were reported by Kingfisher following the incident.

LockBit’s leak site published samples of purportedly stolen data, including email addresses and passwords associated with Kingfisher’s Workday and Access accounts. The ransomware group, active since 2019 and known for its business-like operational model, maintained its claim of exfiltrating extensive sensitive data despite Kingfisher’s rebuttal. Kingfisher reiterated that its internal investigation found no evidence supporting the theft of 1.4TB of data or the compromise of sensitive personal information. The company implemented security measures to contain the breach, including system fortifications and access reviews. No further data leaks or operational consequences were disclosed by Kingfisher following the initial containment. The incident highlighted LockBit’s continued activity amid the decline of other ransomware groups like REvil and Darkside. Kingfisher’s investigation remained ongoing as of October 18, 2022, with no additional compromises detected post-containment.