Cyber Incident Victim: Group 1001
Date:
Feb 2023
Location:
United States of America
Summary
Group 1001 experienced a ransomware attack that disrupted operations at multiple insurance member companies, though its Gainbridge subsidiary remained unaffected. The entity contained the incident by proactively disconnecting systems and engaged forensic experts and law enforcement, confirming no ransom was paid and no further systems were compromised. Normal operations were restored following remediation efforts, including enhanced endpoint detection tools and planned security improvements, while impacted stakeholders await additional updates from the ongoing investigation. Business functions via digital and communication channels were deemed secure post-recovery, and the incident did not affect the organization's credit rating.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Group 1001, an insurance holding company, experienced a ransomware attack on February 9, 2023, which disrupted operations across multiple member companies. The incident impacted Delaware Life Insurance, Delaware Life Insurance Company of New York, Clear Spring Life and Annuity, Clear Spring Property and Casualty, and Clear Spring Health, though its Gainbridge subsidiary remained unaffected. Attackers deployed sophisticated ransomware on the company’s information technology infrastructure, causing system interruptions. Upon discovery, Group 1001 proactively disconnected affected systems to isolate the threat and prevent further spread. The company promptly notified regulators and the FBI, while engaging external forensics experts to assist with the investigation. Initial findings confirmed the ransomware was contained, with no evidence of additional system compromises beyond the initial breach. Group 1001 explicitly stated it did not pay any ransom demands and maintained operations through alternative channels during recovery efforts.
Following containment, remediation efforts included comprehensive scanning for indicators of compromise across systems, with identified threats being neutralized. The company implemented advanced endpoint detection and monitoring tools to strengthen its security framework and announced plans for further enhancements to build a more robust defensive posture. While operations were fully restored across all affected member companies by the time of the March 1, 2023 public statement, management acknowledged the investigation remained ongoing. Group 1001 committed to notifying impacted customers upon conclusion of the investigation but did not disclose specific numbers or details regarding customer data exposure. Business operations resumed through official channels including the company website, call centers, and email, with assurances these platforms were secure. AM Best confirmed the incident had no material financial impact on Group 1001, maintaining its pre-attack credit rating without adjustment.