“We promptly took all of our global systems offline as a precautionary measure, initiated response protocols, launched an investigation, engaged the services of external cybersecurity and forensics professionals, and implemented our business continuity plans to minimise disruption to our customers,” the company said in an 8-K filing with the US Securities and Exchange Commission (SEC).
Gallagher also gave assurances in its SEC filing that it has restarted – or is in the process of restarting – most of its business systems.
“Although we are in the early stages of assessing the incident, based on the information currently known, we do not expect the incident to have a material impact on our business, operations or financial condition,” the brokerage added.
Gallagher did not reveal in the filing if any customer or employee data was accessed by the attackers.
BleepingComputer reached out to Gallagher for more detail on the ransomware attack, but the brokerage giant refused to comment. However, Bad Packets chief research officer Troy Mursch confirmed with BleepingComputer that Gallagher had two F5 BIG-IP servers vulnerable to CVE-2020-5902 prior to the ransomware attack. CVE-2020-5902 is an unauthenticated remote code execution vulnerability that allows malicious actors to exploit unpatched devices.
With Gallagher remaining tight-lipped on the ransomware incident, BleepingComputer suspects that there is a “high chance” that data was stolen from the brokerage, depending on the ransomware group that launched the attack. Of the various ransomware operations, 22 are known to first steal sensitive information from victims before locking their systems with encryption.
The cybersecurity news website also warned that insurance companies typically handle very sensitive and private information such as medical records, blood tests, health and financial information, as well as tax returns – a data breach would lead to these documents being leaked on the dark web for other malicious actors to exploit.