Erie Insurance said it has “seen no evidence of ransomware and there is no indication of ongoing threat actor activity” in a June 17 update on its 10-day long network outage.
That statement appears to conflict with allegations made in two class action lawsuits filed against the insurer, both of which claim that a ransomware group infiltrated the insurer’s network, resulting in a data breach.
Erie has also not confirmed the occurrence of any data breach.
“At this time, we have control of our systems,” the insurer reported. The company stated that it is working tirelessly alongside cybersecurity experts to fully restore access for its customers, agents, and employees.
“Unfortunately, incidents like this are becoming increasingly sophisticated and can impact even the most well-protected organizations. Upon detecting unauthorized activity, we took immediate action to contain the issue and have since implemented additional security measures to further strengthen our systems,” the statement said.
One lawsuit was filed by Neil Plascencia, a customer from Illinois, and the other by Amy Haas, a former Erie employee residing in Wisconsin. Both allege that Erie Insurance failed to adequately safeguard their personally identifiable information (PII), and each is seeking $5 million in damages.
Both lawsuits allege that on June 7, a ransomware group infiltrated Erie’s information network, resulting in a data breach.
A report from the Google Threat Intelligence Group suggests that the cybercrime group Scattered Spider may be responsible for Erie’s troubles based on the timing, although this remains unconfirmed. Google has cautioned insurers that Scattered Spider, previously targeting retailers in the U.S. and U.K., now seems to be shifting its focus toward the insurance sector.
The insurer reported that on Saturday, June 7, its information security team detected unusual network activity and promptly took measures to protect its systems and data. Since then, the company’s systems have remained offline, disrupting phone, email, and online application services.
Plaintiff Plascencia asserts that in June, he received an email from Erie informing him that a security breach had exposed his personally identifiable information (PII) to cybercriminals.
A spokesperson stated that the insurer refrains from commenting on ongoing legal proceedings.
Requests for comment directed to the attorneys handling the class action lawsuits have not yet received a response.
Erie Insurance urged customers to adhere to personal security best practices and to promptly inform their financial institutions of any suspicious activity.
