CNA Financial paid $40 million in late March to regain control of its network after a ransomware attack, Bloomberg reports.
The hackers reportedly demanded $60 million when negotiations started about a week after some of CNA’s systems were encrypted, and the insurance company paid the lower sum a week later.
In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker’s identity with the FBI and the Treasury Department’s Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.
“CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”
In a security incident update published on May 12, CNA said it did “not believe that the systems of record, claims systems, or underwriting systems, where the majority of policyholder data – including policy terms and coverage limits – is stored, were impacted.”
According to the two people familiar with the CNA attack, the company initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals, Bloomberg reports.
