Two insurance multinationals have revealed that the details of millions of Japanese customers were hacked and put up for sale after a third-party contractor was allegedly compromised.
Aflac and Zurich’s statements did not name the compromised supplier, but a local report by Tokyo-based news agency Jiji Press claimed the same U.S. subcontractor was responsible. I’m here.
A total of approximately 2 million customers were affected by the incident, including 1.3 million Aflac cancer insurance policyholders and 760,000 Zurich auto policyholders.
According to Aflac, the compromised data included age, gender, surname, policy number, policy type number, and coverage amount/premium.
The insurance company argued, “We need to be careful that individuals cannot be identified only with the above personal information leaked on the information leak site.” “Therefore, we believe that the possibility of the leaked information being misused by a third party is extremely low.”
Aflac added that the original compromised subcontractor removed customer information from the targeted servers. Aflac said it was taking unspecified additional “steps” to prevent similar incidents in the future.
Separately, the hackers managed to access customer information related to Zurich car insurance. Names, email addresses, policy numbers, customer IDs, dates of birth, and vehicle information have been reported compromised.
Only Japanese customers of two insurance companies are believed to have been affected by the incident.
Lior Yaari, CEO and co-founder of Grip Security, argued that compromised credentials were the most likely way for hackers to gain access to the server in question.
“Whether it’s third parties, former employees, overly permissive permissions, or dangling access to zombie accounts, the opportunities to misuse credentials to access sensitive information are more than ever. Fascinating,” he added.
“This is one reason why third parties and their credentials to access client systems continue to be top targets for attackers.”
Eureka Security CEO Liat Hayun argued that no organization can trust its critical data assets today.
“But the reality is that organizations use third-party vendors to enable day-to-day operations,” he added. “To further accelerate our day-to-day operations, it is best to work with a third-party vendor that has the same or better data security policies than our own organization.”
Editorial Credit Icon Image: Ralf Liebhold / Shutterstock.com
