Insurance Broker A.J. Gallagher Reports on Investigation Into 2020 Ransomware Attack

An investigation by insurance broker Arthur J. Gallagher & Co. into a ransomware attack on its systems last September has revealed that personal information on individuals was accessed. The broker is in the process of contacting affected individuals.

The firm said the attacker remains unknown. The variant of ransomware found within Gallagher systems was RagnarLocker, which is a ransomware that affects devices running Microsoft Windows operating systems, Vince Regan, attorney for the brokerage, told Insurance Journal.

Gallagher would not say at this time whether it paid ransom out of concern for potentially compromising the ongoing investigations. The FBI has warned victims to not pay cybercriminals.

Gallagher also said it could not publicly disclose how many parties or individuals have been affected.

Last September, Gallagher and its claims unit, Gallagher Bassett, reported that a ransomware incident that happened on Saturday, Sept. 26 limited some of its internal systems.

In a filing with the Securities and Exchange Commission (SEC) in September, the company said it took all of its global systems offline as a precautionary measure, initiated response protocols, launched an investigation, engaged external cybersecurity professionals, and implemented its business continuity plans to minimize disruption to its customers.

The firm said it was able to restore from backups and its systems were operational relatively quickly after detection of the attack in part due to certain security measures that were in place before the attack.

Gallagher said then that based on the current information, it did not expect the incident to have a material impact on its business, operations or financial condition.

Working with cybersecurity and forensic specialists to “determine what may have happened and what information may have been affected,” Gallagher determined that an “unknown party accessed or acquired data contained within certain segments” of its network between June 3, 2020 and September 26, 2020.

While the investigation was able to confirm that certain systems were accessed, it was unable to confirm what information within those systems was actually accessed.

To learn more, Gallagher said it conducted an “extensive review of the entire contents” of the impacted systems. On May 24, 2021 Gallagher’s investigation confirmed that the impacted data included information relating to certain individuals. Gallagher said it continued to work through June 23, 2021 to begin notifying its business partners and to obtain address information for impacted individuals to provide them with accurate notice.

According to Gallagher, this review determined that one or more of the following types of information associated with certain individuals were present on impacted systems: Social Security number or tax identification number, driver’s license, passport or other government identification number, date of birth, username and password, employee identification number, financial account or credit card information, electronic signature, medical treatment, claim, diagnosis, medication or other medical information, health insurance information, medical record or account number, and biometric information.

Gallagher said it is notifying potentially affected individuals and has established a dedicated assistance line at (855) 731-3320 for individuals seeking additional information. Individuals can also learn more on this special section of the firm’s website.

Ransomware attacks are growing in number and cost. Last year in the U.S. alone, victims of attacks included more than 100 government agencies at all levels, more than 500 health care centers, 1,680 educational institutions and thousands of businesses, according to the cybersecurity firm Emsisoft. The attacks have caused tens of billions of dollars in losses.

Illinois-based Gallagher, an insurance broker that offers cyber insurance, is not alone among insurance entities attacked. CNA Financial Corp., also based in Illinois, paid $40 million in late March to regain control of its network after a ransomware attack. Colonial Pipeline and meat producer JBS have also paid ransom.