Cyber Incident Victim: Chubb
Date:
Mar 2020
Location:
United States of America
Summary
A major cybersecurity insurance provider experienced a data breach involving unauthorized access to third-party data through a Maze ransomware attack, which exfiltrates and holds information for ransom. The Maze group claimed responsibility, listing senior executives' names and email addresses but had not published stolen files at the time; the company confirmed its own network remained unaffected while investigating the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 26, 2020, cybersecurity insurance provider Chubb disclosed it was investigating a security incident involving unauthorized access to data belonging to an unnamed third party. The company, a major insurer for businesses affected by data breaches, stated through spokesperson Jeffrey Zack that its internal network showed no evidence of compromise and remained fully operational. Chubb declined to provide additional details or confirm whether its customers were impacted. Security researcher Brett Callow of Emsisoft identified the incident as a Maze ransomware attack, noting the group had listed Chubb on its data leak site earlier in March. The Maze ransomware operators employed a double-extortion tactic, both encrypting victim networks and exfiltrating data to pressure organizations into paying ransoms. Their listing included the names and email addresses of three senior Chubb executives, including CEO Evan Greenberg, though no stolen files had been publicly released at the time of reporting. The FBI had previously issued private warnings in December 2019 about escalating Maze-related incidents, highlighting the group’s aggressive operational patterns.
The attack underscored the targeting of a prominent cybersecurity insurer by a ransomware group known for systematically compromising organizational networks. While Chubb maintained its infrastructure was unaffected, the breach of third-party data raised questions about potential downstream impacts given the company’s role in managing sensitive client breach responses. Historical context included Target Corporation’s $74 million lawsuit against Chubb in 2019, alleging inadequate compensation for costs stemming from Target’s 2013 breach affecting 110 million customers. Chubb’s incident response focused on investigating the third-party compromise without disclosing mitigation steps, data types exposed, or whether negotiations with the threat actors occurred. The Maze group’s publication delay created uncertainty regarding the full scope and severity of data exfiltration, leaving unresolved whether additional material would be leaked or leveraged for further extortion.