It has been reported that insurance companies, Washington National Insurance Company and Bankers Life and Casualty Company, have recently notified customers of significant data breaches following SIM-swapping attacks.

Both companies, which are part of the CNO Financial Group, suffered the attacks in November 2023; however, results of the attacks are only being circulated in February 2024.

Looking at these incidents for Digital Journal is Rebecca Moody, Head of Data Research at Comparitech.

Moody begins by outlining some of the details relating to the recent cyber-attacks and the scope of the impact: “Washington National Insurance Company is notifying 20,360 people of the attack, while Bankers Life and Casualty Company is notifying 45,842. Stolen data potentially includes customers names, Social Security Numbers, dates of birth, and customer account numbers.”

In terms of the main mode of operations used by the criminals to facilitate the data breaches, Moody finds: “SIM-swapping attacks occur when a scammer has a phone number ‘ported’ onto a new SIM card. This allows them to take over the victim’s phone number and also gives them potential access to two-factor authentication methods.”

SIM swaps work by a hacker convincing a cell phone carrier to switch a mobile number to a SIM in the hacker’s possession.

She adds: “While one of the main goals for these types of attacks is to gain access to financial data, they can also be used to carry out other attacks, such as ransomware.”

This was apparent in the recent incidences, says Moody, noting: “For example, Advarra’s ransomware attack in October 2023 was carried out after one of its executives was the victim of a SIM swap. ALPHV/BlackCat claimed the attack and said it had stolen 120GB+ of data. This included sensitive data belonging to employees, patients, and customers.”

As to the methods and objectives of the recent attacks, Moody’s assessment is: “The data breach notifications for the aforementioned insurance companies suggest the attacks were enabled as “a retailer for one of the top nationwide wireless carriers, without proper authorisation or appropriate verification from the senior officer, allowed the senior officer’s phone number to be swapped to what we believe was the threat actor’s phone.”

There are measures that can be taken to avoid such cyber-incidents from occurring, by both corporations and individuals. Says Moody: “Therefore, to prevent SIM-swapping attacks, users should use secure authentication apps instead of their phone number for two-factor authentication, add additional layers of security to their mobile phone number accounts (e.g. pin codes and security questions), avoid linking accounts to their phone number, and be generally wary of any requests for personal data.”