CNA Paid Hackers $40 Million Following Cyberattack

Data was stolen, CNA officials were locked out of their network.
CNA Paid Hackers $40 Million Following Cyberattack
May 26, 2021

CNA Financial Corp., among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, according to sources cited in a news report by Bloomberg. The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named.

In a statement, a CNA spokesperson said the company followed the law. “CNA is not commenting on the ransom,” spokeswoman Cara McCall said. “CNA followed all laws, regulations, and published guidance, including OFAC’s [the Treasury Department’s Office of Foreign Assets Control] 2020 ransomware guidance, in its handling of this matter.” The FBI discourages organizations from paying ransom.

A task force of security experts and law enforcement agencies estimated that victims paid about $350 million in ransom last year, a 311 percent increase over 2019. The task force recommended 48 actions that the Biden administration and private sector could take to mitigate such attacks, including better regulation of the digital currency market used to make ransom payments. The report, prepared by the Institute for Security and Technology, was delivered to the White House before Colonial Pipeline Co. was compromised in a ransomware attack that led to fuel shortages and long lines at gas stations along the East Coast of the U.S.

Navigate in this section: