Hackers claimed to have hacked hundreds of thousands of records from National Life Group, but investigation points to Sterling National Financial Group as the likely hacked entity
The blackhat hacker/extortionist(s) known as thedarkoverlord (TDO) ended 2018 and welcomed 2019 with a number of bold announcements about large hacks. One of those announcements was their claim in a since-removed paste that they had hacked National Life Group (NLG) and exfiltrated more than 500,000 records from their servers:
We breached National Life Group and stole over 500.000 records from their servers. They rejected our most handsome business proposition so we’re leaking a few sample documents now with more to come soon.–
The hackers’ claims are disputed by NLG on a few important points. Until DataBreaches.net called NLG, they reportedly had no idea that anyone was claiming that that they had been hacked and they were not aware that anyone was trying to extort them over a hack they knew nothing about. When contacted by DataBreaches.net, their initial response could be summarized as, “What hack? What extortion attempt? We have no idea what you’re talking about.” But to understand how we got to that point, we need to back up a few weeks.
A few weeks before their public claims, TDO had contacted DataBreaches.net and provided a sample of files that they claimed were from a hack of NLG. The files that DataBreaches.net received at that time are the same files that TDO recently made publicly available in a data dump that DataBreaches.net will not link to.
On December 21, after a preliminary examination of the files, this journalist contacted NLG and spoke with Ross Sneyd about TDO’s claims. Sneyd denied ever having had any email communication from TDO, despite TDO insisting that they had made contact with him previously. He also denied any knowledge of any hack. I verbally provided him with some data — the names of policyholders whose names appeared in the files I had and the names and affiliations of the insurance agents who completed the applications. Sneyd informed me that they would immediately investigate the claims.
Suiting action to their word, one of the things NLG immediately did was to contact FireEye’s Mandiant division for assistance in their investigation.
While they pursued their investigation, this site kept digging into the files it had received, becoming less and less certain that there had been any hack of NLG. Although the files were applications for NLG policies and products, the files and the metadata all appeared to point to Texas-based Sterling National Financial Group, a firm that provides retirement and financial planning services to employees in the public marketplace.
When asked to provide DataBreaches.net with more data that would prove that it was NLG that had been hacked and not Sterling NFG, thedarkoverlord declined to provide more materials.
Many of the files in the small sample this site received were confirmations that individuals had successfully applied for an insurance product. The files contained a wealth of personal and financial information such as name, postal and email address, telephone numbers (landline and cell), date of birth, Social Security number, driver’s license number (in some cases), country of birth, name of beneficiaries and their dates of birth, the applicant’s employer and job title, and bank account information including Bank name, routing number, and full account number.
Note: Although TDO subsequently released theses same files to the general public unredacted, DataBreaches is redacting the files to protect the personally identifiable information.
For some applicants, the files would include health information on the applicant and their minor child if they had a policy that called for term coverage:
National Life Group and Sterling NFG Respond
Late yesterday, DataBreaches.net received statements from both National Life Group and Sterling National Financial Group. National Life Group’s statement, below, appears to confirm what DataBreaches.net had suggested: that it wasn’t their hack:
When we learned of this incident on Dec. 21 we began working with Mandiant, a leading independent digital forensics firm. Mandiant’s initial findings are that there is no evidence of a breach at National Life and this incident likely originated with an independent insurance agency. Mandiant’s work is ongoing.
We understand the independent agency, which works with multiple insurance carriers, is now or will shortly be notifying the affected individuals.
We are also working with law enforcement.
Sterling NFG’s statement to DataBreaches.net, below, seems to acknowledge that they are responsible for notifying customers of a breach, although we might wish that their statement was a bit clearer:
Sterling is aware of this incident. We are working with third party professionals to investigate the situation as well as working diligently to send notification letters to affected customers who will be eligible for credit monitoring services at no cost to them. Due to the current investigation we are unable to provide further comment.
Sterling NFG declined to provide additional details so DataBreaches.net.
DataBreaches.net asked thedarkoverlord to respond to NFG’s denial that they were hacked. The hackers responded:
The insurance policies of the affected materials are held by National Life Group. This makes National Life Group the parent and holds responsibility over the security of the policyholders, who will now have their sensitive PII sold in droves on the dark web, due to NLG’s refusal to accept our most handsome business proposition.
Who’s the Target of the “Handsome Proposition” ????
TDO declined to comment further in response to additional questions posed by this site. Their response — attempting to justify NLG paying their “handsome proposition” instead of Sterling NFG — was a bit surprising, but seems somewhat consistent with other recent statements they have made where they have attempted to hold large insurers with deep pockets such as Hicsox and Lloyd’s of London responsible for a breach that the former firm claims was actually at a law firm that had done some work for them.
If this is TDO’s newer business model or approach, it doesn’t make much sense to me. Yes, I can see claiming that National Life might potentially take a reputation hit because it is their policyholders whose data was stolen, and I can see someone making an argument that National Life’s duty to its policyholders should extend to them ensuring that independent insurance agents who collect information destined for them should have adequate data security, but why would National Life’s insurer reimburse them if they were to pay any “handsome proposition” or extortion demand? If TDO is motivated solely by “internet money” as they repeatedly claim, why go after a firm that won’t get reimbursed for paying their request? Wouldn’t they stand a better chance with a firm that has insurance coverage for a hack?
And yes, I readily admit that I have no business acumen. Thedarkoverlord gives a lot of thought to their methods and business model. Maybe they are on to something that I just fail to recognize or appreciate. Then again, maybe they’re just extorting up the wrong tree, so to speak?
At some point, we will hopefully get some clarification and additional details on this breach. For now, I have no proof as to how many records were actually stolen. Nor do I know if all of the records pertained to NLG policyholders (unlikely if the hack was of Sterling), or if a hack of Sterling’s servers also compromised data of policyholders of other insurers. The latter possibility seems much more likely.
For now, though, it’s important to emphasize that just because thedarkoverlord claims they hacked an entity, they may not have hacked that entity at all and journalists will need to be especially cautious about repeating any claims that contain attributions.