Those people affected are clients of FHCK who applied for or renewed insurance coverage online via FHKC between November 2013 and December 2020.
According to Casey Ellis, CTO and Founder of Bugcrowd, this incident highlights the ever-evolving cybersecurity attack surfaces and presents a dire need for insurance organizations to up-level their current security measures.
Ellis tells Digital Journal that the coronavirus situation is not helping organizations to deal with the threat landscape: “The pandemic has put a global spotlight on the wealth of sensitive data insurance organizations possess. Widespread adoption of new tech initiatives brought on by COVID-19 has led to an increase in data within insurance companies and inevitably opened up a new attack surface for malicious cyber adversaries to target — such as the 122,000 globally-connected internet assets within the top nine insurance organizations. With the increased pace of technology rollout, increased use of online health service on account of the pandemic, and the active adversaries lurking, the insurance industry has become adversaries’ latest target”
In terms of the specific attack, Ellis notes: “FHKC was allegedly exposed by it’s hosting provider, and a failure to apply patches — which isn’t an uncommon story. This highlights the need to consider and manage supply chain security, as well as to trust — but first verify.”
Taking action matters, says Ellis: “As the insurance industry continues to play an instrumental role in distributing the COVID-19 vaccine and providing basic healthcare amidst the pandemic, insurance organizations must look to up-level their current cybersecurity measures with external security researchers via a bug bounty or vulnerability disclosure program (VDP) to help identify and disclose vulnerabilities before they can be exploited by adversaries.”
This type of approach will work, Ellis states: “By doing so, insurance organizations can get ahead of malicious actors and proactively address vulnerabilities before they become a devastating breach.”
