Two insurance multi-nationals have revealed that millions of Japanese customers’ details were hacked and put up for sale after a third-party contractor was reportedly breached.
Statements from Aflac and Zurich don’t name the breached supplier, but a local report from Tokyo-based news agency Jiji Press claimed the same US sub-contractor was to blame.
In total, around two million customers were impacted by the incident – including 1.3 million enrolled in Aflac’s cancer insurance policies and 760,000 Zurich auto-insurance policyholders.
Aflac said the compromised data included age, gender, last name, policy number, insurance type number and coverage amount/premium.
“It should be noted that the above items of personal information leaked to the information leak site alone cannot identify an individual,” the insurer claimed. “Therefore, we believe that the possibility of the leaked information being misused by a third party is extremely low.”
Aflac added that the sub-contractor which was originally compromised has deleted customer information from the server that was targeted. Aflac said it is taking unspecified additional “measures” to prevent similar incidents from happening in the future.
Separately, hackers managed to access customer information related to Zurich automobile insurance. Names, email addresses, policy numbers, customer IDs, dates of birth and vehicle information have reportedly been compromised.
Only Japanese customers of the two insurers are thought to have been impacted by the incident.
Lior Yaari, CEO and co-founder of Grip Security, argued that compromised credentials are the most likely way hackers gained access to the server in question.
“Whether it’s a third party, former employee, overly permissive grants or dangling access on zombie accounts, the opportunity to exploit credentials and thereby gain access to sensitive information has never been more appealing,” he added.
“Which is one of the reasons third parties and their credentials to access client systems remain top attacker targets.”
Said Liat Hayun, CEO of Eureka Security, argued that no organization can be trusted with critical data assets today.
“However, the reality is that organizations use third-party vendors to enable day-to-day operations,” he added. “It is best to work with third-party vendors who have the same, if not better, data security policies than your own organization to further accelerate day-to-day operations.”
Editorial credit icon image: Ralf Liebhold / Shutterstock.com