Social engineering attack obtains data on ‘majority’ of Allianz Life customers

The personal information of a majority of Allianz Life’s customers and some of its employees was compromised in a social engineering incident earlier this month, the life insurance business has disclosed.

In a statement, the company said “a malicious threat actor gained access to a third-party CRM system” on July 16. The third party was not identified, and the incident was discovered a day later.

According to the legal notice filed in Maine, Allianz Life has not yet identified how many or which of its 1.4 million customers were impacted, but that it plans to begin its notification process on Friday. The Minneapolis-based company serves the U.S. but is owned by the German financial services giant Allianz.

In its statement, the company said the attacker “was able to obtain personally identifiable data related to the majority of Allianz Life’s customers, financial professionals, and select Allianz Life employees, using a social engineering technique.”

It is not clear what specific data was obtained. A life insurance company’s CRM (customer relationship management) system will typically hold a range of personal information about policyholders, including personally identifying data as well as material on the policies themselves, although these systems do not normally hold credit or bank card details.

The business said it had reported the incident to the FBI, but did not speculate on the identities or motives of the perpetrators.

It follows security analysts at Google’s Threat Intelligence Group warning last month that hackers known for specialising in social engineering attacks were targeting the insurance industry, shortly after the group appeared to have targeted organisations in Britain’s retail sector. Four people have been arrested in the United Kingdom in connection to those attacks.

At the time of the warning, Google Mandiant’s chief analyst John Hultquist said “the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”

Several other insurance companies have recently reported incidents, including Aflac, which said it believed social engineering tactics were used to access its network. Erie Insurance did not disclose the nature of its incident, but announced there was no evidence personal information was breached. Philadelphia Insurance Companies also did not explain how its network was accessed, and stated its forensic investigation is ongoing to determine whether customer data was accessed.