Cyber insurance giant CNA paid out $40 million to its ransomware attackers

Yes, you read that correctly. FORTY MILLION DOLLARS.

Cyber insurance giant CNA paid out $40 million to its ransomware attackers

Back in March, insurance firm CNA Hardy had much of its IT system knocked out by a ransomware attack, and sensitive data stolen.

That’s not a good look for a firm that sells cyber insurance.

And what’s also pretty ugly is that Bloomberg reports that CNA chose to pay an eye-watering $40 million to the cybercrime gang that launched the ransomware attack.


Sign up to our free newsletter.
Security news, advice, and tips.

As security researcher Kevin Beaumont adroitly points out on Twitter, it’s makes one raise an eyebrow at some of the things CNA Hardy has said in the past on the topic of ransomware.

For instance:

Robb cna

“A ransomware attack can have a devastating impact on business. Developing a breach plan and knowing what steps to take in the event of an attack could help save a business.” – Brian Robb, CNA.

He’s not wrong.

(According to his LinkedIn profile, Robb left CNA Hardy last month to start a job as head of cyber at a different insurance firm. One imagines it might have looked better on his resume if he had moved on before the ransomware attack occurred, but never mind. Timing is everything.)

Meanwhile, CNA Hardy says that all of its cyber policy holders automatically get something called CNA CyberPrep. What’s that you ask?

CNA CyberPrep, built on nearly two decades of cyber insurance expertise, is a proactive program of cyber risk services developed by CNA Risk Control and CNA Cyber insurance underwriters in partnership with leading cybersecurity specialists. It is designed to aid CNA cyber policyholders in cyber threat identification, mitigation and response.

A cynic might suggest that if CNA cannot protect itself, then it’s unlikely it will be able to do the job for its clients.

Of course, it’s very easy to have a good laugh about a cyber insurance company getting caught with its pants down, hit by ransomware, and paying an EYEWATERING $40 MILLION RANSOM (sorry, but I do think the figure deserves emphasising), but it could have happened to just about anyone…

…well, maybe not the paying $40 million bit.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Cyber insurance giant CNA paid out $40 million to its ransomware attackers”

  1. Arnold Schmidt

    Casually blowing $40 Million on paying ransom to a bunch of thieves is going to go over real well with the stockholders and board. Look for the current management to be standing in the unemployment lines soon :-)

  2. Linda

    CNA is a big company that can afford its loss but smaller businesses can't bear the loss as such. So it is always wiser for small business owners to be very careful while operating their business. A small mistake can cost them a lot. The best way to prevent any error is to use employee monitoring software. I have been using such software for years the benefits I get is awesome.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.