Two major US insurance companies, Washington National Insurance and Bankers Life, subsidiaries of the CNO Financial Group, have disclosed a significant data breach affecting thousands of individuals. The breach occurred when hackers executed SIM-swapping attacks in November 2023, allowing them to gain unauthorized access to sensitive personal information. This method involves fraudsters manipulating customer support staff at cellphone operators to gain control of victims’ phone numbers, bypassing two-factor authentication measures. As a result, hackers obtained access to personal data such as names, social security numbers, dates of birth, and policy numbers, putting approximately 66,000 individuals at risk of identity theft and fraud.
Washington National Insurance sent breach notification letters to 20,360 affected individuals, explaining that a SIM-swapping attack on a senior officer’s phone number facilitated the breach. Similarly, Bankers Life issued nearly identical notifications to 45,842 individuals. The scale of the breach underscores the severity of the security lapse and the potential consequences for those impacted. With cybercriminals increasingly exploiting SIM-swapping techniques to circumvent security measures, there is a pressing need for organizations to bolster their cybersecurity defenses and implement more robust authentication mechanisms.
The incident highlights the inherent vulnerabilities associated with SMS-based two-factor authentication and underscores the importance of adopting more secure authentication methods, such as time-based one-time passwords (TOTP) or hardware keys. Despite the known risks, many organizations continue to rely on less secure authentication practices, leaving themselves vulnerable to cyberattacks. To mitigate the risk of future breaches, organizations are advised to refrain from linking accounts to phone numbers and to implement additional layers of security on cellphone accounts to deter fraudulent activities.
In response to the breach, both insurance companies are urged to collaborate closely with their cellphone providers to implement enhanced security measures and prevent similar incidents from occurring in the future. Additionally, individuals are encouraged to remain vigilant and take proactive steps to protect their personal information, including monitoring their accounts for any suspicious activity and implementing stronger authentication measures wherever possible. This breach serves as a stark reminder of the evolving nature of cyber threats and the critical importance of robust cybersecurity practices in safeguarding sensitive data.
Reference:
- US insurance firms sound alarm after 66,000 individuals impacted by SIM swap attack
- breach notification letter
