This week, Landmark Admin, an insurance administrative services company, disclosed that a data breach stemming from a cyberattack in May has affected over 800,000 individuals.
In a filing with the Maine Attorney General’s office, Landmark reported detecting suspicious activity on May 13, 2024. In response, the company promptly shut down its IT systems and remote network access to mitigate the potential spread of the attack.
Here’s what we know about the breach so far, along with the lessons learned.
Landmark Admin: Behind the company
As background, Landmark Admin serves as a third-party administrator for insurance companies, providing services like claims processing and benefit plans.
Its customers within the insurance space include American Monumental Life Insurance Company, Pellerin Life Insurance Company, American Benefit Life Insurance Company, Liberty Bankers Life Insurance Company and many others.
Details of the Landmark Admin data breach
Following the detection of suspicious activity within its systems on May 13, Landmark Admin enlisted the help of a third-party cybersecurity firm to address the incident and investigate whether any data had been compromised. During this inquiry, the company uncovered evidence that the attackers accessed files containing personally identifiable information for a staggering 806,519 individuals.
According to Landmark’s data breach notification, the compromised information includes names, addresses, social security numbers, tax identification numbers, driver’s license details, passport numbers, financial account numbers, medical information, dates of birth, and specifics related to health insurance and life annuity policies.
In its filing, Landmark Admin announced plans to send data breach notification letters to all individuals affected by this security incident. These letters will detail the specific information that was compromised. Given the sensitive nature of the stolen data, those impacted are advised to monitor their credit reports and bank accounts for any signs of suspicious activity.
How did the breach happen?
As of now, the precise method by which attackers infiltrated Landmark Admin’s systems remains unclear, and no group has claimed responsibility for the breach. However, this incident underscores the critical importance of supply chain security. Landmark Admin does not directly serve 800,000 customers; instead, it has effectively compromised the data of its clients’ customers.
While one might assume that liability falls squarely on Landmark Admin, recent developments involving AT&T suggest a more complex scenario. The Federal Communications Commission (FCC) recently reached a $13 million settlement with AT&T over a data breach that occurred in January 2023, traced back to one of its third-party cloud vendors.
This breach exposed sensitive information for over 8.9 million AT&T Mobility customers and occurred through an unnamed company contracted for marketing, billing, and personalized video content services. According to the settlement details, AT&T had shared customer data with the vendor to facilitate these services, raising questions about the shared responsibility for data security across the supply chain.
Lessons learned
When businesses share sensitive data with third-party vendors, they are essentially extending their security perimeter. This means that the security measures in place at these vendors must be as robust as those within the primary organization. However, many businesses fail to conduct thorough security assessments of their vendors, leaving them exposed to potential breaches.
The breach at Landmark Admin exemplifies how an incident involving a third party can have cascading effects. The 800,000 individuals affected by this breach may not even have known that Landmark Admin was responsible for their data. As the situation unfolds, it will be intriguing to observe the outcomes of any class action lawsuits. Will Landmark Admin shoulder the blame alone, or will the insurers that utilize its services also face scrutiny?
In truth, either could occur—which is why implementing robust third-party security measures and due diligence are both crucial. Organizations must adopt a proactive approach to vendor management. Regular audits, comprehensive risk assessments, and clear contractual agreements regarding data security are essential for mitigating these risks. Furthermore, companies should ensure that their vendors comply with relevant regulations and standards, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), based on their industry.
For an in-depth exploration of third-party security and its implications, read our guide.