NYSE-listed insurance firm Ryan Speciality Group (a $6 billion by market cap wholesale insurance broker and managing underwriter) said August Friday 13 it may have suffered a data breach, with customers' financial account information, passport numbers, driving licence details, username/email and password, dates of birth and more all exposed in emails that were potentially accessed without authorisation over a 16-day period.
The emails were accessed between April 4, 2021 and April 20, 2021 Ryan Speciality Group said, adding that it was not able to determine whether any specific emails in those accounts were accessed or viewed.
The company said it conducted a "programmatic and manual review of the contents of the email accounts" to see if any sensitive information was present, to which the answer was, seemingly, yes; a great deal.
Reading between the lines of the company's statement, it appears likely that the company saw a mail server handled by an MSP breached but is unable to trace activity further than the initial intrusion. The Stack has asked for further details, including why such sensitive PII was apparently held in plaintext emails.
The insurance firm said: "Upon learning of this incident, Ryan Specialty moved quickly to investigate, respond, and assess the security of relevant systems", adding that it has reset relevant account passwords and is now "blocking potentially malicious IP addresses, removing any suspicious emails from Ryan Specialty mailboxes, reviewing for and disabling any suspicious rules within Ryan Specialty mailboxes, and opening investigations with its email solutions and managed services providers to gain further insight into the incident.
"As part of Ryan Specialty’s ongoing commitment to the security of information, it is also reviewing existing policies and procedures to reduce the likelihood of a similar future event."
Customers troubled at the loss of what appears to have been potentially extensive unencrypted personal data are being offered access to "complimentary credit monitoring and identity protection services for twenty-four (24) months through Experian." The breach came shortly before Ryan Speciality Group's IPO.