CNA cyberattack in March exposed personal information of more than 75,000 people, filings reveal
A March cyberattack that shut down systems at Chicago-based insurance giant CNA exposed the personal information of thousands of employees, contractors and policyholders, the company revealed in a Securities and Exchange Commission filing Monday.
More than 75,000 people were affected by the hack, which revealed names, personal identification and Social Security numbers, according to a data breach notification filed with the Maine attorney general's office in July.
"We are not releasing further information beyond what is posted on CNA.com and what was in our recent filings," the company said in an emailed statement Tuesday.
CNA discovered the "sophisticated ransomware attack" on March 21, with an investigation revealing that the hackers accessed company systems and copied a "limited amount of information" before deploying the ransomware, according to a July notice posted by CNA. The company said at the time there was "no indication that the data was viewed, retained or shared."
In July, CNA notified the people whose data was exposed and offered them two years of free credit monitoring service.
The March cyberattack caused a network disruption that affected certain systems, including corporate email. It also shut down the functionality of CNA's website, reducing it to a static display. CNA paid the hackers $40 million to regain control of its systems, according to Bloomberg.
In its SEC filing Monday, CNA said it may be subject to "investigations, fines or penalties" as well as legal claims related to the data breach. The insurance company also disclosed that its own insurance policies may not cover potential damages.
"Although we maintain cybersecurity insurance coverage insuring against costs resulting from cyberattacks (including the March 2021 attack), we do not expect the amount available under our coverage and/or our coverage policy to cover all losses," the company said in its filing. "Costs and expenses incurred and likely to be incurred by the company in connection with the March 2021 attack include both direct and indirect costs and not all may be covered by our insurance coverage."
CNA Financial, which has 5,800 employees worldwide, is one of the largest commercial property and casualty insurance companies in the U.S., generating $10.8 billion in revenue last year, according to financial reports.
©2021 Chicago Tribune.
Distributed by Tribune Content Agency, LLC.
