Cyber Incident Victim: Wilcac Life Insurance Company
Date:
Jun 2023
Location:
United States of America
Summary
Wilcac Life Insurance Co. was impacted by a third-party data breach involving the MOVEit file transfer system. The incident compromised the personal data of over 37,500 Delaware residents, including agents, policyholders, and beneficiaries. The event triggered Delaware's Insurance Data Security Act, mandating an investigation, consumer notifications, and the provision of free credit monitoring services for at least one year to those affected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident involving Wilcac Life Insurance Co. was part of a larger cybersecurity event impacting numerous insurers and their third-party vendors, primarily centered on a breach of the MOVEit file transfer services system. The Delaware Department of Insurance first issued a consumer alert regarding this widespread data breach on June 26, 2023. This initial alert was subsequently updated as the department received additional data breach reports from affected insurers. The breach triggered specific legal requirements under Delaware’s Insurance Data Security Act, which had been passed by the state's General Assembly in 2019 and implemented the National Association of Insurance Commissioner’s model law.
The core of the incident stemmed from a compromise of the MOVEit file transfer system, a tool used by third-party vendors servicing insurance companies, including Wilcac Life Insurance Co. This vulnerability allowed unauthorized actors to access and exfiltrate data. The breach did not directly target Wilcac's internal information systems but instead impacted the company through its reliance on these external vendors for data transfer and processing services. The specific actions of the attackers, the exact point of initial compromise, and the precise timeline of data access for Wilcac were not detailed in the available public reporting from the Delaware Department of Insurance.
The impact of this incident was significant, affecting over 37,500 individuals in the state of Delaware alone who were associated with Wilcac Life Insurance Co. and other listed insurers. The affected individuals included the company's agents, policyholders, and beneficiaries. The personal data of these individuals was compromised in the breach, exposing them to potential identity theft and financial fraud. The exact types of personal information exposed were not specified in the provided article, but such breaches commonly involve sensitive details like names, addresses, Social Security numbers, and policy information.
In response to the breach, the Delaware Department of Insurance mandated a series of actions from affected entities under the state's Insurance Data Security Act. Wilcac Life Insurance Co., as an impacted insurer, was required to conduct a thorough investigation of the cybersecurity event. This investigation was tasked with determining the scope of the incident and correcting any compromised information systems to prevent further unauthorized access. Furthermore, the company was obligated to provide detailed reporting on the incident to the Delaware Insurance Commissioner.
A critical component of the regulatory response was the mandate for consumer notification and protection. Wilcac Life Insurance Co. was required to notify all affected consumers within 60 days of the event's discovery, unless a modified timeline was expressly required or requested by federal law or a law enforcement agency. Alongside notification, the company was compelled to provide all impacted individuals with credit monitoring services at no cost for a minimum period of one year. The notification also had to include information guiding consumers on how to freeze their credit with the major bureaus as a further protective measure.
Insurance Commissioner Trinidad Navarro publicly addressed the breach, emphasizing the seriousness with which the department viewed any compromise of personal information. He encouraged affected consumers to utilize the identity and credit protection services being offered. Commissioner Navarro also confirmed that the department's Market Conduct staff would work to investigate the situation. This investigation was expected to be conducted in collaboration with investigators from other states, reflecting the multi-state nature of the incident. A key objective of this investigation was to assess whether Wilcac Life Insurance Co. and its vendors had appropriate data safeguards in place as required by law. The Department of Insurance retained the authority to investigate any violations of the Insurance Data Security Act and to levy penalties accordingly if it was determined that appropriate security measures were not maintained.
The incident highlighted the risks associated with third-party vendor relationships and supply-chain attacks, where a vulnerability in a widely used software product can have cascading effects across numerous organizations. The response was governed by a pre-existing legal framework designed to fortify security measures and protect consumer data, which dictated the specific steps for investigation, correction, reporting, and consumer notification and support. The full technical details of the attack vector exploited in the MOVEit system and the complete extent of data exfiltrated from Wilcac's vendors were not disclosed in the available public information from the Delaware authorities.