US insurance firms sound alarm after 66,000 individuals impacted by SIM swap attack

Two US insurance companies are warning that thousands of individuals' personal information may have been stolen after hackers compromised computer systems.

Washington National Insurance and Bankers Life, both subsidiaries of the CNO Financial Group, were targeted by SIM-swapping hackers in November 2023.

As we've described before, SIM-swapping attacks involve fraudsters tricking customer support staff at a cellphone operator into giving them control of someone else's phone number. This allows the fraudster to receive the victim's phone calls and SMS messages, including two-factor authentication tokens.

In some cases, SIM-swappers hijack phone numbers with the help of a rogue insider at the cellphone company.

A breach notification letter sent by Washington National Insurance to 20,360 affected individuals explains that a SIM-swapping attack on a "senior officer's phone number" allowed the hackers to bypass multi-factor authentication.

The company warned that personal information including names, social security numbers, dates of birth, and policy numbers.

Bankers Life sent a nearly identical breach notification letter to 45,842 individuals.

In short, the personal information of some 66,000 people is now in the hands of cybercriminals, who may use it for fraud or further attacks.

What I find particularly alarming is that SIM swap attacks aren't new. Criminals use this method to break into systems without authorisation, whether to plant ransomware, exfiltrate data, or pilfer cryptocurrency.

SMS-based two-factor authentication is less secure than authentication apps with time-based one-time passwords (TOTP) or hardware keys. Yet companies still leave themselves open to SIM-swapping.

With SIM-swapping so prevalent and easy for criminals to pull off, organizations and individuals should avoid linking accounts to their phone number. They should also add additional layers of security to their cellphone accounts to make it harder for a crook to trick a cellphone operator into handing over a number.

Both insurance companies should clearly talk to their cellphone provider about preventing a similar accident from occurring again.