Exclusive: Philadelphia Insurance Companies facing ‘major’ ransomware attack, sources say, as company hit by outage

By James Thaler, Isha Marathe

June 12 - (The Insurer) - Philadelphia Insurance Companies’ (PHLY) staff remain offline for the third straight day on Thursday, as the company ordered employees not to access the insurer’s network, as multiple cyber sources confirmed that it is dealing with a “major” ransomware event.

Cyber (re)insurance and cybersecurity sources told Cyber Risk Insurer that the company has been dealing with the outage since Tuesday, affecting email and phone communications.

PHLY has sent multiple updates to broking partners, including as recently as Wednesday evening, advising that the company has “continu(ed) experiencing a network outage impacting PHLY systems.”

The note to brokers and agents said that the outage is also affecting customer access to online applications and that the company is “working to resolve this issue as soon as possible” as it apologized “for any inconvenience.”

On Wednesday, a memo to company staff and reviewed by Cyber Risk Insurer said that the insurer’s IT department “has made significant progress, but our network remains down. We appreciate your patience as we work to bring our systems online.”

Messaging from PHLY to staff and trading partners did not indicate whether any sensitive data has been exposed as a result of the breach.

Further details regarding the ongoing remediation and recovery efforts, the identity of the threat actor targeting PHLY, or the nature of any data potentially exposed could not immediately be confirmed. It also could not immediately be confirmed whether the insurer has engaged in negotiations with the threat actor involved.

The insurer also said that its accounting firm has confirmed that scheduled June 13th payroll will process as normal.

“Please be prepared to sign on to our network and proceed with your work day when we communicate that our systems are back up,” staff were told Wednesday, adding that another update would be sent Wednesday evening.

“Please keep an eye on your devices for messages from the (Tokio Marine North America) Emergency Alert System with updates,” the company told staff.

Most recently, at 9:38 a.m. EST on Thursday, PHLY’s press communication sent an auto-response to The Insurer’s request for comment, saying, “Thank you for your email. We are currently experiencing systems issues and will respond as soon as possible.”

The response noted: “For PHLY brokers and customers: If you are looking to bind new or renewal business for which a valid PHLY proposal has been issued, please call our Contact Center…”

The Insurer received the same auto-response from PHLY at 9:44 a.m. and 10:02 a.m. EST on Wednesday.

Two senior cybersecurity industry sources said the language the insurer has used in its public statements “has all the characteristics of ransomware,” and said that the length of downtime at the company suggests that the company has fallen victim to a "major" attack.

They added that the known details regarding the ongoing episode, including the ongoing downtime, share parallels with the cyber attack Chicago-based insurer CNA experienced in March 2021.

A spokesperson for Tokio Marine and PHLY declined to comment.

Tokio Marine HCC subsidiaries, including American Contractors Indemnity Company, Texas Bonding Company, United States Surety Company and US Specialty Insurance Company, had previously suffered a data breach earlier this year in January.

The company filed a data breach notice with the Commonwealth of Massachusetts where it disclosed that the breach involved unauthorized access to certain company websites, exposing sensitive consumer data, including names and Social Security numbers.