Cyber Incident Victim: Pan-American Life Insurance Group
Date:
Feb 2021
Location:
United States of America
Summary
Pan-American Life Insurance Group experienced significant service disruptions following a cyberattack attributed to the REvil ransomware group, which claimed theft of 170 GB of sensitive data including financial reports and health-related information. The company took systems offline upon detecting suspicious activity, impacting operations but maintaining customer service continuity. REvil actors typically employ double extortion tactics, threatening data leaks unless ransoms are paid, often demanding substantial sums. The victim's subsequent removal from the ransomware group's leak site suggested potential negotiation efforts. PALIG engaged internal and external experts to investigate the breach while working to restore systems responsibly, emphasizing the seriousness of data security amid ongoing recovery efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 19, 2021, Pan-American Life Insurance Group (PALIG) experienced significant service disruptions attributed to a cyberattack involving the REvil ransomware group. The New Orleans-based insurer, operating across the Americas with over 20 member companies and approximately 2,000 employees, took its systems offline after detecting suspicious activity, leading to widespread operational interruptions. PALIG’s public website was reduced to displaying minimal contact information alongside a message acknowledging the disruption and directing communications through temporary email channels. Cybersecurity researcher Anis Haboubi identified a claim on a REvil-operated Tor leak site stating the threat actors had exfiltrated 170 GB of data from PALIG, including financial reports covering all company regions and health-related information. REvil, known for deploying ransomware to encrypt victim files and demanding multimillion-dollar ransoms, typically threatens to publish stolen data unless payment is made. The compromised data’s nature suggested exposure of sensitive financial and health records, though PALIG’s subsequent removal from the REvil leak site indicated potential ongoing negotiations between the company and attackers.
PALIG confirmed the breach through a public statement, emphasizing its immediate response to isolate systems upon detecting the suspicious activity. The company engaged internal and external experts to investigate the incident thoroughly while maintaining customer service operations despite the disruption. PALIG’s updates stressed the seriousness with which it treated data security and its commitment to restoring systems responsibly pending the investigation’s findings. The incident underscored the operational and reputational risks associated with ransomware attacks, particularly given the exposure of regional financial data and health information. PALIG’s decision to proactively take systems offline aligned with containment best practices, though the pre-ransomware data theft highlighted the dual extortion tactics increasingly employed by groups like REvil. The company’s public communications focused on transparency regarding service impacts and remediation efforts without disclosing specifics about ransom demands, payment status, or detailed forensic findings.