Cyber Incident Victim: Crum & Forster

Crum & Forster (C&F) experienced a cybersecurity incident involving unauthorized access to its computer systems, first detected prior to February 3, 2022. The company initiated an internal investigation with support from third-party privacy experts to assess the nature and scope of the breach. On February 3, 2022, C&F confirmed that external threat actors had successfully bypassed its online security infrastructure and accessed specific files stored on its network. The compromised files contained sensitive consumer information, though the full extent of the intrusion was not immediately known. C&F conducted a detailed review of the affected data to identify impacted individuals and the types of information exposed. This analysis revealed that unauthorized parties obtained names and Social Security numbers, with the exact combination of compromised details varying by individual.

C&F formally notified the Massachusetts Attorney General’s office of the breach on February 22, 2023, fulfilling regulatory obligations after completing its forensic review. The same day, the company began mailing individualized data breach notifications to affected consumers, advising them of the exposure of their personal information. No evidence suggested public disclosure of the compromised data prior to these notifications. The breach impacted an undisclosed number of individuals whose data resided on C&F’s servers at the time of the incident. As a property and casualty insurer handling sensitive customer information, the exposure of Social Security numbers created significant risks of identity theft and financial fraud for victims. C&F did not publicly disclose technical details regarding the attack methodology, duration of unauthorized access, or specific security controls that were circumvented. The company’s response focused on breach containment, regulatory compliance, and consumer notification rather than public elaboration on operational or technical remediation measures.