81K people's sensitive info feared stolen from Hilb after email inboxes ransacked

Credit card numbers, security codes, SSNs, passwords, PINs? Yikes!

Hilb Group has warned more than 81,000 people that around the start of 2023 criminals broke into the work email accounts of its employees and may have stolen a bunch of sensitive personal information.

The financial biz handles property, casualty, and employee benefits insurance and advisory services at more than 130 locations across 22 US states. The Hilb Group did not immediately respond to The Register's inquiries about the extent of the intrusion nor how the thieves were able to get at such personal info.

What details are available are a little vague but worrying. In a notification to the Maine Attorney General's office on Thursday, the biz said miscreants accessed people's first and last names and sensitive financial data and credentials.

Specifically, we're told: "Financial Account Number or Credit/Debit Card Number (in combination with security code, access code, password or PIN for the account)." That notification includes a sample letter to those affected by the security breach, which states the stolen data was limited to people's names and Social Security numbers.

Either way, not a good look for an outfit that claims to help people mitigate and manage risk.

Hilb says it discovered "suspicious activity" related to employee email accounts around January 10. After doing some digging, and bringing on a third-party incident response firm, the insurance brokerage determined someone broke into those inboxes between December 1, 2022 and January 12, 2023. Months and months ago, in other words. After that, Hilb said it tried to figure out what data the intruders had access to.

"We then began a thorough review of the contents of the email accounts in order to determine the type(s) of information contained within the accounts, and to whom that information related," the security breach notification letter [PDF] stated.

It said it completed this review on July 28, and then started locating affected individuals, which took another few months, apparently. And then on October 9, Hilb says, it began sending out letters to 81,539 folks notifying them that their personal and financial data was potentially stolen.

Hilb said upon discovering the intrusion it "immediately" secured the compromised email accounts, began a thorough investigation, and "implemented additional technical safeguards to enhance the security of information in our possession and to prevent similar incidents from happening in the future." So that's all right then.

The Register will update this story if and when Hilb responds.

To compensate for any stolen financial data, the insurance group is offering affected folks the usual free credit monitoring and identity protection services. ®

Send us news

Orgs are having a major identity crisis while crims reap the rewards

Hacking your way in is so 2022 – logging in is much easier

Feds dismantle Russian GRU botnet built on 1,000-plus home, small biz routers

Beijing, now Moscow.… Who else is hiding in broadband gateways?

Meet VexTrio, a network of 70K hijacked websites crooks use to sling malware, fraud

Some useful indicators of compromise right here

China's Volt Typhoon spies broke into emergency network of 'large' US city

Jeez, not now, Xi. Can't you see we've got an election and Ukraine and Gaza and cost of living and layoffs and ...

ALPHV blackmails Canadian pipeline after 'stealing 190GB of vital info'

Gang still going after critical infrastructure because it's, you know, critical

Ivanti devices hit by wave of exploits for latest security hole

At this point you might be better off just shutting the stuff down

Uncle Sam sweetens the pot with $15M bounty on Hive ransomware gang members

Honor among thieves about to be put to the test

The spyware business is booming despite government crackdowns

'Almost zero data being shared across the industry on this particular threat,' we're told

AnyDesk revokes signing certs, portal passwords after crooks sneak into systems

Horse, meet stable door

Crims found and exploited these two Microsoft bugs before Redmond fixed 'em

SAP, Adobe, Intel, AMD also issue fixes as well as Google for Android

Apple promises to protect iMessage chats from quantum computers

Easy to defend against stuff that may never actually work – oh there we go again, being all cynical like

Congress told how Chinese goons plan to incite 'societal chaos' in the US

American public is way ahead of them