CNA cyberattack in March exposed personal information of more than 75,000 people, filings reveal

Credit: CC0 Public Domain

A March cyberattack that shut down systems at Chicago-based insurance giant CNA exposed the personal information of thousands of employees, contractors and policyholders, the company revealed in a Securities and Exchange Commission filing Monday.

More than 75,000 people were affected by the hack, which revealed names, personal identification and Social Security numbers, according to a data breach notification filed with the Maine attorney general's office in July.

"We are not releasing further information beyond what is posted on and what was in our recent filings," the company said in an emailed statement Tuesday.

CNA discovered the "sophisticated ransomware attack" on March 21, with an investigation revealing that the hackers accessed company systems and copied a "limited amount of information" before deploying the ransomware, according to a July notice posted by CNA. The company said at the time there was "no indication that the data was viewed, retained or shared."

In July, CNA notified the people whose data was exposed and offered them two years of free credit monitoring service.

The March cyberattack caused a network disruption that affected certain systems, including corporate email. It also shut down the functionality of CNA's website, reducing it to a static display. CNA paid the hackers $40 million to regain control of its systems, according to Bloomberg.

In its SEC filing Monday, CNA said it may be subject to "investigations, fines or penalties" as well as legal claims related to the data breach. The also disclosed that its own insurance policies may not cover potential damages.

"Although we maintain cybersecurity insurance coverage insuring against costs resulting from cyberattacks (including the March 2021 attack), we do not expect the amount available under our coverage and/or our coverage policy to cover all losses," the company said in its filing. "Costs and expenses incurred and likely to be incurred by the in connection with the March 2021 attack include both direct and and not all may be covered by our ."

CNA Financial, which has 5,800 employees worldwide, is one of the largest commercial property and casualty insurance companies in the U.S., generating $10.8 billion in revenue last year, according to financial reports.

©2021 Chicago Tribune.
Distributed by Tribune Content Agency, LLC.

Citation: CNA cyberattack in March exposed personal information of more than 75,000 people, filings reveal (2021, November 3) retrieved 3 March 2024 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

Insurance giant CNA hit with 'disruptive' cybersecurity attack


Feedback to editors