The data breaches, originating from SIM-swapping attacks, occurred in November 2023 and have since sparked widespread concerns about data security.
A recent notification has revealed data breaches at insurance giants Washington National Insurance Company and Bankers Life and Casualty Company, both of which are subsidiaries of the CNO Financial Group. The breaches, originating from SIM-swapping attacks, occurred in November 2023 and have since sparked widespread concerns about data security.
What is a SIM-swapping attack?
For your information, SIM-swapping attacks involve fraudulently obtaining control of a victim’s mobile phone number by convincing the victim’s mobile carrier to switch the SIM card linked to the number to one in the possession of the attacker.
Once the attacker gains control of the victim’s phone number, they can intercept incoming calls and text messages, allowing them to bypass security measures such as two-factor authentication (2FA) that rely on codes sent via SMS.
This enables the attacker to access sensitive accounts, such as banking or cryptocurrency wallets, and carry out fraudulent transactions or steal personal information. SIM-swapping attacks exploit vulnerabilities in the verification processes of mobile carriers and can have severe consequences for victims, including financial loss and identity theft.
Over 66,000 users impacted
Washington National Insurance Company is reaching out to 20,360 individuals affected by the breach, whereas Bankers Life and Casualty Company is contacting 45,842 individuals. The compromised data potentially contains customers’ names, Social Security Numbers, dates of birth, and customer account numbers.
According to the data breach notification filed with the Office of the Attorney General of California on January 26, 2024, Bankers Life promptly initiated an investigation to assess the extent of the compromise. Thereafter, the company began the process of notifying affected individuals through data breach notification letters, outlining the breach’s implications and offering guidance on protective measures.
Receiving a notification letter from Bankers Life and Casualty Company emphasises the urgency for affected individuals to understand the risks posed and take appropriate actions to safeguard their information. Failure to uphold data protection obligations can render companies liable, opening the possibility for legal recourse through data breach lawsuits.
Experts warn of possible ransomware attacks
For insights, we reached out to Rebecca Moody, Head of Data Research at Comparitech, who emphasized that SIM-swapping attacks involve more than just identity theft or taking over someone else’s SIM card; they can also be used to carry out ransomware attacks.
“For example, Advarra’s ransomware attack in October 2023 was carried out after one of its executives was the victim of a SIM swap. ALPHV/BlackCat claimed the attack and said it had stolen 120GB+ of data. This included sensitive data belonging to employees, patients, and customers,“ Rebecca said while discussing potential consequences.
Rebecca also emphasized the specifics of the data breach notification (PDF), indicating that threat actors conducted SIM-swapping without proper authorization or verification. “The data breach notifications suggest the attacks were enabled as “a retailer for one of the top nationwide wireless carriers, without proper authorisation or appropriate verification from the senior officer, allowed the senior officer’s phone number to be swapped to what we believe was the threat actor’s phone,“ Rebecca explained.
Rebecca cautioned and advised users that “to prevent SIM-swapping attacks, users should use secure authentication apps instead of their phone number for two-factor authentication, add additional layers of security to their mobile phone number accounts (e.g. pin codes and security questions), avoid linking accounts to their phone number, and be generally wary of any requests for personal data.“
On Going Investigation
The FBI is aware of the issue. The root cause of the breach is yet to be fully elucidated, with ongoing investigations expected to shed more light on the matter. However, initial reports suggest that the incident may have originated from a cyberattack targeting one of Bankers Life’s vendors, emphasising the substantial risks associated with third-party breaches.
Victims of the breach are advised to remain alert against potential fraudulent activities, such as identity theft. As investigations continue, affected individuals can expect further updates on the breach and its implications.
The breach at Bankers Life and Casualty Company highlights the ongoing importance of addressing challenges in data security, emphasizing the need for businesses and consumers to prioritize strong cybersecurity measures to reduce risks and protect sensitive information.