US insurance giant Farmers Insurance says more than a million customers had personal data nicked after a third-party vendor was compromised.
The insurer, which sells car, home, life, and business cover to more than 10 million Americans, briefly published an advisory on its website confirming the breach before quietly pulling it offline [PDF]. Farmers isn’t saying why, but companies sometimes retract notices to tweak wording or to coordinate with regulators. In practice, such moves often fuel speculation that the incident may be bigger, or messier, than the carefully worded filings suggest.
While Farmers’ advisory has mysteriously vanished, notifications filed with Maine’s attorney general confirm the incident affected just over 1.1 million people, with exposed data ranging from names and addresses to dates of birth, driver’s license numbers, and in some cases fragments of Social Security numbers.
The state filings – which remain online – spell out that around 40,000 people linked to Farmers New World Life Insurance Co. were affected, with the remaining 1.07 million tied to Farmers Insurance Exchange, Farmers Group, and affiliates. The filings also reveal that the compromise took place on May 29 and was spotted the following day, but warning letters didn’t start landing on doormats until August 22.
Farmers isn’t saying which third-party vendor got popped, though reports speculate that it is Salesforce. The CRM giant counts Farmers as a customer, but has so far kept quiet on whether the company’s Salesforce instance was the focus of the attack.
The Salesforce campaign has become one of the year’s most damaging supply chain incidents, with intruders apparently abusing stolen OAuth tokens, social-engineering calls, and misconfigured integrations to rifle through corporate customer data.
The spree has already touched a wide range of industries: airlines including Qantas, retailers like Louis Vuitton, tech firms, and financial services providers have all found themselves dragged into the mess.
Although none have publicly named Salesforce, Google has said its own corporate Salesforce instances were affected by similar UNC6040 activity described by its Threat Intelligence group, which has been tracking the campaign since June.
Security researchers have largely pinned responsibility on the ShinyHunters extortion crew, a well-established criminal gang with a track record of data-slurping at scale – specifically last year’s Snowflake attacks. We have asked Salesforce for comment. The vendor has previously pointed out to several outlets that such attacks are “not due to any known vulnerability in our platform,” saying it continues to “encourage all customers to follow security best practices to protect their data.”
“It is a stark reminder that service providers may not have the same view and risk appetite of security than you do,” Ken Munro, founder of Pen Test Partners, told The Register.
For now, Farmers customers will have to brace for more phishing and fraud attempts. ®
**Get our** Tech Resources
US insurance giant Farmers Insurance says more than a million customers had personal data nicked after a third-party vendor was compromised.
Farmers isn’t saying why, but companies sometimes retract notices to tweak wording or to coordinate with regulators.
The state filings – which remain online – spell out that around 40,000 people linked to Farmers New World Life Insurance Co. were affected, with the remaining 1.07 million tied to Farmers Insurance Exchange, Farmers Group, and affiliates.
Farmers isn’t saying which third-party vendor got popped, though reports speculate that it is Salesforce.
For now, Farmers customers will have to brace for more phishing and fraud attempts.
US insurance giant Farmers Insurance says more than a million customers had personal data nicked after a third-party vendor was compromised.
The insurer, which sells car, home, life, and business cover to more than 10 million Americans, briefly published an advisory on its website confirming the breach before quietly pulling it offline [PDF]. Farmers isn’t saying why, but companies sometimes retract notices to tweak wording or to coordinate with regulators. In practice, such moves often fuel speculation that the incident may be bigger, or messier, than the carefully worded filings suggest.
While Farmers’ advisory has mysteriously vanished, notifications filed with Maine’s attorney general confirm the incident affected just over 1.1 million people, with exposed data ranging from names and addresses to dates of birth, driver’s license numbers, and in some cases fragments of Social Security numbers.
The state filings – which remain online – spell out that around 40,000 people linked to Farmers New World Life Insurance Co. were affected, with the remaining 1.07 million tied to Farmers Insurance Exchange, Farmers Group, and affiliates. The filings also reveal that the compromise took place on May 29 and was spotted the following day, but warning letters didn’t start landing on doormats until August 22.
Farmers isn’t saying which third-party vendor got popped, though reports speculate that it is Salesforce. The CRM giant counts Farmers as a customer, but has so far kept quiet on whether the company’s Salesforce instance was the focus of the attack.
The Salesforce campaign has become one of the year’s most damaging supply chain incidents, with intruders apparently abusing stolen OAuth tokens, social-engineering calls, and misconfigured integrations to rifle through corporate customer data.
The spree has already touched a wide range of industries: airlines including Qantas, retailers like Louis Vuitton, tech firms, and financial services providers have all found themselves dragged into the mess.
Although none have publicly named Salesforce, Google has said its own corporate Salesforce instances were affected by similar UNC6040 activity described by its Threat Intelligence group, which has been tracking the campaign since June.
Security researchers have largely pinned responsibility on the ShinyHunters extortion crew, a well-established criminal gang with a track record of data-slurping at scale – specifically last year’s Snowflake attacks. We have asked Salesforce for comment. The vendor has previously pointed out to several outlets that such attacks are “not due to any known vulnerability in our platform,” saying it continues to “encourage all customers to follow security best practices to protect their data.”
“It is a stark reminder that service providers may not have the same view and risk appetite of security than you do,” Ken Munro, founder of Pen Test Partners, told The Register.
For now, Farmers customers will have to brace for more phishing and fraud attempts. ®
Get our Tech Resources
