The Japanese customers of two large insurance companies Aflac and Zurich have had their personal information leaked after the breach of a third-party service provider. The attacked provider has not been identified, and neither company would comment on whether the two attacks were related. Each company, however, issued statements this week alerting their customers that their information had been made public.
According to Jon Sullivan, Aflac director of communications, they recently learned about a “data-related incident” involving customers from Japan. About 1.3 million customers were impacted by the incident, which was brought on by a file transfer server vulnerability and started with a subcontractor of a third-party vendor utilized by Aflac Japan for marketing purposes.
“The data, which did not include personally identifiable information (PII), was posted on a dark website. This incident was confined to Aflac Japan and did not involve data related to U.S. operations or customers.” said Sullivan
The company said in a statement that it intended to get in touch with each customer separately to outline the support options available to them. The vulnerability was found on January 9. They claimed in the letter that they had examined the dark web post and verified the data’s affiliation with their company. Names, ages, genders, insurance types, insurance numbers, rates, and further plan details were all included in the data.
According to the press release, which includes a number to a contact center with more information, all of those affected—1,323,468 people—had one of three types of cancer insurance coverage. In order to prevent future thefts, Aflac said that it had deleted the stolen data from the third-party server.
A spokesperson for Zurich Insurance Group stated that the company is also aware that Japanese customer data has been stolen and made public, attributing it in a manner similar to that of the first statement. Along with starting the process of alerting Japanese customers, they have gotten in touch with regulators and authorities.
“There is no indication that any customer data outside of Japan have been compromised, nor indication of any compromise of Zurich internal systems. Initially, it was falsely reported that 2.6 million customers were affected by the data breach. It has since been clarified that 757,463 ‘Super Automobile Insurance’ customers (a local motor insurance product) have been affected.” the spokesperson said.
Names, policy numbers, customer IDs, emails, dates of birth, and further vehicle information are among the stolen data..
According to Lior Yaari, CEO of Grip Security, the incident served as yet another illustration of the risk that big businesses run when they commit their customers’ personal information to unreliable third parties.
“Whether it’s a third-party, former employee, overly permissive grants, or dangling access on zombie accounts, the opportunity to exploit credentials and thereby gain access to sensitive information has never been more appealing, which is one of the reasons third parties and their credentials to access client systems remain top attacker targets,” said Yaari.
Eureka Security CEO Liat Hayun said that third-party providers are frequently a necessary evil for businesses the size of Aflac and Zurich, placing the majority of businesses in an unenviable position.
“Who do you trust with your critical data assets? Your answer would be ‘no one,’ however, the reality is that organizations use third-party vendors to enable day-to-day operations,” Hayun explained. With that said, it is best to work with third-party vendors who have the same, if not better data security policies than your own organization to further accelerate day-to-day operations.”
The announcement of the breach comes only days after the company’s CEO warned the Financial Times that situations like these were “uninsurable” due to the size and frequency of cyberattacks.