Cyber Incident Victim: Annuity Investors Life Insurance Co.
Date:
May 2023
Location:
United States of America
Summary
A cybersecurity incident at Annuity Investors Life Insurance Co. impacted over 37,500 Delaware residents, including agents, policyholders, and beneficiaries. The breach involved the compromise of personal data via a third-party vendor's MOVEit file transfer system. The event triggered state legal requirements, prompting an investigation and the provision of free credit monitoring services to affected consumers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A data breach impacting Annuity Investors Life Insurance Co. was part of a larger cybersecurity incident involving the MOVEit file transfer service, a system utilized by third-party vendors serving the insurance industry. The event was publicly disclosed by the Delaware Department of Insurance in a consumer alert initially issued on June 26, 2023, and subsequently updated on July 24, 2023. The incident stemmed from a vulnerability within the MOVEit software, which was exploited by an unauthorized actor to gain access to files stored on the system. This breach did not directly target Annuity Investors Life Insurance Co.'s internal network but rather compromised a third-party service provider the company engaged for secure file transfers. The specific vendor involved was not named in the public disclosure from the Delaware Department of Insurance.
The breach resulted in the exposure of sensitive personal information belonging to a significant number of individuals associated with multiple insurance companies, including Annuity Investors Life Insurance Co. The affected population included Delaware residents who were agents, policyholders, or beneficiaries of the insurer. The total number of individuals impacted across all insurers listed in the Delaware Department of Insurance update exceeded 37,500. While the exact number of individuals specifically affected by the Annuity Investors Life Insurance Co. incident was not detailed in the available report, the company was included among those entities reporting a breach to the state regulator. The compromised data constituted personal information, though the precise data elements exfiltrated for this specific company were not enumerated in the public advisory.
The incident triggered obligations under Delaware’s Insurance Data Security Act, which had been passed in 2019. This legislation mandates specific protocols for insurance companies and their vendors following a cybersecurity event. Upon discovery of the breach, the involved entities were required to initiate a thorough investigation into the cybersecurity event and undertake corrective actions on the compromised information systems. A detailed report of the incident was also mandated to be filed with the Delaware Insurance Commissioner. Furthermore, the law requires that affected consumers be notified within 60 days of the event's discovery, unless federal law or a request from a law enforcement agency necessitates an altered timeline for this notification.
In accordance with these legal requirements, the response included formal notification to the individuals whose personal data was potentially compromised. Consumers were advised to be vigilant and watch for official contact regarding the breach. As a remedial measure, the company, through its vendor, was obligated to provide affected consumers with credit monitoring services at no cost for a minimum period of one year. The notification also included information and guidance for consumers on how to place a freeze on their credit reports with the major credit bureaus as an additional protective step.
The regulatory response was led by Delaware Insurance Commissioner Trinidad Navarro, who publicly addressed the breach. Commissioner Navarro emphasized the seriousness with which the department viewed the incident and encouraged all affected consumers to utilize the offered identity and credit protection services. He also confirmed that the department's Market Conduct staff would be engaged in investigating the situation. This investigation was anticipated to be a collaborative effort with investigators from other states, reflecting the multi-state nature of the incident impacting numerous insurers and their vendors. The core objective of this regulatory investigation was to assess whether appropriate data security safeguards and protocols had been in place at the time of the breach, as required by the Insurance Data Security Act. The department retains the authority to investigate violations of the Act and to levy penalties accordingly should its investigation determine that necessary safeguards were not maintained.
The incident is a prominent example of a supply chain attack, where a vulnerability in a widely used software product operated by a third party leads to a widespread data compromise across multiple organizations that use that service. The exploitation of the MOVEit file transfer service had far-reaching consequences beyond the insurance sector, but its impact on insurers was significant due to the highly sensitive nature of the personal and financial information they handle and transfer through such systems. The breach underscores the operational and regulatory challenges posed by reliance on third-party vendors for critical data processing functions. The response was governed by specific state legislation designed to fortify data security measures within the insurance industry, ensuring a standardized protocol for investigation, consumer notification, and the provision of protective services following a security event.