Washington National Insurance and Bankers Life, subsidiaries of the CNO Financial Group, have reported a significant data breach after falling victim to SIM-swapping hackers in November 2023. The breach has potentially compromised the personal information of thousands of individuals.
SIM-swapping attacks involve fraudsters manipulating customer support at a cellphone operator to gain control of someone else’s phone number, enabling them to intercept phone calls and SMS messages, including two-factor authentication tokens.
In this case, a breach notification letter sent by Washington National Insurance to 20,360 affected individuals revealed that a SIM-swapping attack on a senior officer’s phone number bypassed multi-factor authentication, exposing sensitive information such as names, social security numbers, dates of birth, and policy numbers.
Similarly, Bankers Life sent a nearly identical breach notification letter to 45,842 individuals, indicating the severity of the breach affecting a total of 66,000 people.
While SIM-swapping attacks are not new, their prevalence and ease of execution make them a significant threat. Criminals utilize this method to gain unauthorized access to systems for various malicious purposes, including ransomware deployment, data exfiltration, and cryptocurrency theft.
The reliance on SMS-based two-factor authentication, known to be less secure than other methods such as authentication apps with time-based one-time passwords (TOTP) or hardware keys, leaves organizations vulnerable to such attacks.
To mitigate the risk posed by SIM-swapping, organizations and individuals are advised to refrain from linking accounts solely to their phone numbers and implement additional security measures on cellphone accounts. Both insurance companies are urged to engage with their cellphone providers to enhance security protocols and prevent similar incidents in the future.
