South African insurance clients hit in massive global cyberattack
Aon South Africa has warned customers that the Cl0P ransomware gang likely compromised their personal information during a mass-exploitation campaign earlier this year.
It assured the compromised data did not include bank account or credit card details.
Aon is a global professional services firm that offers car, household, and health consumer insurance products in South Africa.
It also provides commercial risk, reinsurance, and employee benefit services for businesses.
Cl0P took advantage of a zero-day vulnerability in MOVEit Transfer several months ago, allowing it to download potentially sensitive data from corporations worldwide.
MOVEit is a managed file transfer system aimed at enterprises that offers secure file transfers between business partners and customers using SFTP, SCP, and HTTPS.
It was developed by Progress Software Corporation subsidiary Ipswitch.
The MOVEit zero-day is one of 2023’s major information security stories, resulting in the private data of millions of people being exposed. Some of the more prominent recent exposures include:
- 3.4 million people in a perinatal and child registry funded by the Canadian government
- 10 million job-seekers in France’s unemployment registration and financial aid agency
- 4 million people in Colorado’s database of people who need government-assisted healthcare
Reuters reported in August that the MOVEit hack has led to data breaches at over 600 organisations worldwide.
Cyber extortion incident response firm Coveware estimated in July that Cl0P may earn $75–$100 million (R1.4 billion to R1.9 billion) from its MOVEit campaign.
It said the sum would come from just a handful of victims who succumbed to very high ransom payments.
“This is a dangerous and staggering sum of money for one, relatively small group to possess. For context, this amount is larger than the annual offensive security budget of Canada,” Coveware warned.
Aon sends notification four months after breach
In a notification sent to customers on Friday, 29 September 2023, Aon said that Progress had informed them of the issue several months ago.
“On 31 May 2023, Aon was notified by Progress, the manufacturer of the MOVEit application, that it had identified a vulnerability in its software,” Aon stated.
“Upon becoming aware of this vulnerability, which was unknown to the cyber security industry prior to being exploited, Aon immediately took steps to contain and investigate the incident.”
Aon said these steps included identifying and terminating access to the impacted servers, applying all available patches released by Progress to address the vulnerability, and engaging cybersecurity experts to thoroughly investigate the incident.
Following the investigation, Aon determined that customers’ date of birth, national identification and/or passport numbers, and personal contact information linked to their policies were exposed.
“Aon immediately reported the incident to, and is working closely with, law enforcement and all relevant authorities,” the company said.
“We have notified the Information Regulator of the incident. We have also implemented additional measures designed to enhance the security of our network, systems, and data.”
Aon said it does not believe there is cause for concern in the wake of a cyberattack such as this that affected organisations worldwide.
This is a curious statement, considering a warning from the Southern African Fraud Prevention Services (SAFPS) in July that it had seen a significant increase in identity theft.
The SAFPS said impersonation fraud had surged 356% between April 2022 and April 2023. The number of forged documents and cases of money muling in South Africa had also increased.
“This can be attributed to data leaks and compromised personal data, which has shown a significant recent increase in South Africa,” it stated.
Although Aon said there is no cause for concern, it said customers mustn’t let their guard down.
People should remain cautious of unsolicited communications that ask for personal information, refer them to a webpage asking for personal information, or ask them to click links or download attachments.
Aon said it partnered with TransUnion to offer affected clients 24 months of TrueID — a product offering identity monitoring and ID theft response functionality.
It also said that anyone who suspects their identity has been stolen can apply for free protective registration from the SAFPS.