US insurance giant Dominion National took 9 years to detect breach
News / US insurance giant Dominion National took 9 years to detect security breach
26 June 2019
US medical insurance giant Dominion National today announced that it recently discovered unauthorised access to some of its servers that began as far back as in 2010. The unauthorised access resulted in the breach of personal and financial information of both customers and employees.
Dominion National, a leading insurer and administrator of dental and vision benefits in the United States, today announced that it discovered an unauthorised intrusion into some of its servers that went on for nine years and may have breached personal and financial information of both employees and customers.
Data breach impacted SSNs, names, emails & bank accounts of Dominion National customers & employees
In a press release, the insurance firm stated that the unauthorised intrusion “may have occurred as early as August 25, 2010” and was discovered following an internal alert on April 24 this year. The firm then described data contained in the compromised servers as below:
“The data may include enrollment and demographic information for current and former members of Dominion National and Avalon vision, and current and former members of plans we provide administrative services for. In addition, the data may include personal information for producers who placed Dominion National and Avalon vision policies, and healthcare providers participating in the insurance programs of Dominion National.
“The member information may have included names, addresses, email addresses, dates of birth, Social Security numbers, member ID numbers, group numbers, and subscriber numbers. For members who enrolled online through Dominion National’s website, their bank account and routing numbers may have also been included in the data.
“The provider information may have included names, dates of birth, Social Security numbers, and/or taxpayer identification numbers. The producer information may have included names and Social Security numbers,” the firm said.
Even though the unauthorised intrusion into Dominion National’s servers went on for nine years, the firm insists that any information stored in the compromised servers were not accessed, acquired, or misused. After the intrusion was detected, the firm cleaned the affected servers, implemented enhanced monitoring and alerting software, and contacted the FBI.
“We recognise the frustration and concern that this news may cause, and rest assured we are doing everything we can to protect your information moving forward,” said Mike Davis, President of Dominion National.
“We have no evidence that any information was in fact accessed, acquired, or misused. Out of an abundance of caution, we are offering a two-year membership to ID Experts® MyIDCare™, which includes credit monitoring and fraud protection services, for any potentially affected individual,” he added.
Layered defence approach a must for firm holding customer data
Commenting on the data breach that may have lasted nine years, Fraser Kyne, EMEA CTO at Bromium says that with highly sensitive data from home addresses, social security numbers and bank details exposed through the breached servers, the length of time this information was open to unauthorised access gives cause for great concern.
“Nine years is an incredibly long time for a hacker to remain undetected with this kind of access. The longer the ‘dwell time’ (i.e. the time a potential hacker has unauthorised access to systems), the more damage can be caused; hackers will have had ample opportunity to move through systems, potentially insert backdoors, exfiltrate data and spy on communications.
“It’s unclear how the original breach occurred in this case, however, the most common attack vectors are email and browsers, accessed through the endpoint. From there, hackers can make their way through systems to get to their target – in this case the company’s servers. Trying to detect an attack like that in real-time is a fallible approach, and once a hacker has made its way in they can deploy all manner of disguises to stay under the radar.
“This is why it’s important to adopt layered defences that utilise application isolation to contain malicious threats; preventing hackers from gaining a foothold in the network. That way, if a user does visit an infected site or open a malicious attachment then the malware is rendered harmless; the hacker has nowhere to go, nothing to steal and won’t be able to reach company servers.
“If an attack has come through the network, having threat telemetry is vital. Often, an attacker will try all manner of ways to gain access, so gathering data from your endpoints and being able to track the full kill chain can uncover vital clues regarding the motivation of the hacker and the type of malware they are using.
“Again, by using application isolation to contain threats security analysts can watch how the malware behaves while know their systems remain safe – essentially turning the endpoint from a traditional point of weakness into an intelligence gathering strength, providing organisations with rich threat telemetry about the hacker’s intent that hardens the entire defensive infrastructure,” he adds.