After Belfius, DVV and CDA insurance fell victim to a hacker attack, other insurers also appear to be having problems. P&V Insurance and Schyns Assurances & Finances now complete the offering.

Late last week, HLN reported that the hacker collective Killsec had published data on a Leaksite with data on Belgian residents. Victims in service: DVV, Belfius and CDA insurance.

Killsec says it is not blackmailing the insurers, but a third party. “We compromised a software supplier and received data from them. We will publish all the data if we do not find a solution.” The hacker collective does not disclose who this third party is.

Is Penbox to blame?

According to HLN, this is Penbox, a partner that works with 400 large and small players in the insurance industry. Initially, the company only wanted to react to the incident with a certain degree: “Our systems have not been compromised, the true circumstances are still being investigated.”

Yesterday it emerged that data from P&V Insurance and Schyns Assurances & Finances had been compromised. Of the first documents, 28,000 were allegedly stolen. P&V tells HLN that this is a limited data set from 2023.

“Critical data such as registration or contract data were not included in this data set, but personal data such as the names and addresses of a limited number of customers were. We are of course taking this very seriously. We are currently analyzing the effects in order to take the necessary further steps.”

Strange detail: Penbox accidentally posted the files publicly online. Human error would be the cause and not a “hack” in which systems were cracked. Killsec may have intercepted this and now wants money.

Hackers smell money

“We keep this data safe and will delete it if we reach an agreement with the companies. Otherwise, we will publish it and fines and lawsuits under the GDPR will follow,” reports Killsec.

According to reports, there is no specific amount on the table that the hacker collective wants. They emphasize that this is indeed confidential information. “The Belgian companies use PenBox.io to process sensitive data such as contact information, logins and other data that must be handled with care. We have also downloaded large amounts of documents from other companies.”