Cyber Incident Victim: AXA
Date:
May 2021
Location:
Thailand
Summary
A ransomware attack targeted AXA's Asian operations, impacting IT systems in Thailand, Malaysia, Hong Kong, and the Philippines. The Avaddon group claimed responsibility, alleging theft of three terabytes of sensitive customer data including medical reports, identification documents, and financial records. The insurer's subsidiary confirmed unauthorized access to data processed in Thailand but found no evidence of broader compromise. Attackers issued a 10-day ultimatum threatening data leaks and DDoS attacks if ransom demands weren't met. The incident occurred shortly after the company announced it would cease reimbursing ransomware payments for new French policies, though no direct link was established. Forensic experts were engaged to investigate, with regulators notified. Cybersecurity authorities had previously flagged Avaddon's activities due to concerns that stolen insurer data could facilitate follow-on attacks against policyholders.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 14, 2021, ransomware operators later identified as the Avaddon group attacked AXA’s Asia Assistance subsidiary, impacting IT operations across Thailand, Malaysia, Hong Kong, and the Philippines. The attackers exfiltrated approximately three terabytes of sensitive data, including customer medical reports, insurance claims, identification documents, bank account details, payment records, and other health-related information. Avaddon publicly posted screenshots of stolen documents as proof of compromise and issued a 10-day ultimatum for payment, threatening to leak the full dataset and launch distributed denial-of-service (DDoS) attacks against AXA if demands were unmet. AXA Partners, the parent entity of the affected subsidiary, confirmed the breach and disclosed that data processed by Inter Partners Asia (IPA) in Thailand had been accessed, though initial investigations found no evidence of broader data exposure beyond IPA systems.
AXA Partners activated a dedicated task force involving external forensic experts to investigate the incident and initiated notifications to regulatory authorities and business partners. The company did not publicly address whether it paid or intended to pay the ransom. The attack occurred shortly after AXA’s announcement that it would cease reimbursing ransomware payments under new policies in France, though a source familiar with the incident stated no direct link between the policy change and the attack. Cybersecurity analysts highlighted the targeting of insurers like AXA and CNA—which suffered a separate ransomware incident in April 2021—as strategically significant, noting that stolen policyholder data could enable threat actors to identify high-value targets for follow-on attacks. The FBI and Australian Cyber Security Centre had previously issued alerts about Avaddon’s ransomware operations, underscoring its established threat profile. Operational disruptions were confined to AXA’s Asian subsidiaries, with no reported collateral impact on other global operations.