Fraud Management & Cybercrime
,
Healthcare
,
Industry Specific
Multi-Line Insurance Company Warns Customers of Potential Scams
Pennsylvania-based Erie Indemnity Corp.- which offers insurance policies including auto, life, Medicare supplements and cyber insurance – on Wednesday notified the U.S. Securities and Exchange Commission that it has been responding to a cybersecurity incident since last weekend.
See Also: A Modern Approach to Data Security
The Fortune 500 company is also publicly warning customers to not provide their personal information or payments to potential scammers reaching out directly by email and phone calls.
Erie Indemnity – which does business as Erie Insurance – told the SEC that on June 7 the company “identified unusual network activity,” which was determined to be the result of an information security event.
“Upon learning of this activity, the company activated its incident response protocols and took immediate action to respond to the situation to safeguard our systems. The company also notified and is working with law enforcement,” Erie Insurance told the SEC.
Erie Insurance is continuing to take “protective measures” and is conducting forensic analysis with the assistance of third-party cybersecurity experts to gain a full understanding of this event, the company said.
“Given the recency of the event, the company’s investigation and response are ongoing, and the full scope, nature and ultimate impact on the company are not yet known,” Erie Insurance said.
A similar public notice Erie Insurance also posted Wednesday on its website goes one step further, warning customers to beware of potential scams related to the incident.
“During this outage, Erie Insurance will not contact customers by phone or email to request payments. As always, do not click on any links from unknown sources or share your personal information via phone or email.”
Erie Insurance did not immediately respond to Information Security Media Group’s request for additional details about the incident, including whether ransomware encryption and data exfiltration is involved, and whether the company has received reports about customers already getting fraudulent emails and phone calls.
Wide Range of Customers
Erie Insurance, which has been in business since 1925, has 6 million active policies in auto, home, property coverage, cyber, life, Medicare supplement, retirement, veterinarian and pet insurance. The company says on its website that it employs more than 7,000 people and has 14,000 agents.
In light of the company’s deep business roots and the wide range of insurance policies, the type of information potentially compromised in the incident is vast, some experts said.
“Because Erie Indemnity serves consumers, the type of information potentially accessed is likely to cause civil litigation for the unauthorized disclosure of privacy information,” said Mike Hamilton, field CISO at security firm Lumifi Cyber. Additionally, because the company also provides commercial insurance, policyholder records could be used for business email compromise and payment redirection schemes, he said.
“Further, Erie Indemnity also sells cyber policies, and possession of these lets the threat actor understand exactly what the thresholds are for coverage and this information can be used in further extortion campaigns against Erie’s business customers,” he said.
Since consumer records are involved and financial information is undoubtedly part of that, law enforcement and incident responders have likely advised Erie on public communications to make consumers aware of the potential for fraud, Hamilton said. “Whether scam calls are planned is still speculative, although that is a threat. It is more likely that the records are monetized through extorting Erie for their destruction – which is never guaranteed – as this is less work for the threat actor,” he said.
Popular Targets
Insurance companies are a popular target for cybercriminals.
“The Erie Insurance attack highlights the high-value, high-context nature of data in insurance breaches,” said Eran Barak, CEO of security firm MIND. “Unlike transactional breaches, these attacks involve deep personal records tied to health, identity and livelihood, impacting policyholders, beneficiaries, dependents and third parties,” he said.
“The unique sensitivity and permanence of this data mean the stakes are consistently high.”
Insurers in the healthcare sector have been especially hard-hit in recent years. In fact, the largest health data breach ever reported – affecting 190 million people – resulted from a February 2024 ransomware attack on UnitedHealth Group’s Change Healthcare IT services unit.
“What differentiates the Erie attack from Change Healthcare and other payment and insurance clearing houses is that Erie is not specific to a sector,” he said.
So far, the Erie Insurance appears closer in nature to the 2020 attack on fundraising software provider Blackbaud, which affected a wider range of organizations and sectors, including healthcare, nonprofits and philanthropic organizations, Hamilton said (see: Lessons Learned From Blackbaud Hack Legal Fallout).
Monetizing the Erie Insurance attack from a variety of records “would force the threat actor to work harder,” he said, “and it is not clear whether this is the objective, or to merely extort,” he said.
Another Pennsylvania insurance company reported this week that it is also undergoing a cyberattack. Philadelphia Insurance Co. posted a notice on its website Thursday saying, “We are currently experiencing a network outage impacting PHLY systems. This outage affects our phone and email systems, as well as customer access to online applications. We are working to resolve this issue as soon as possible and apologize for any inconvenience.”
