81K people's sensitive info feared stolen from Hilb after email inboxes ransacked

Hilb Group has warned more than 81,000 people that around the start of 2023 criminals broke into the work email accounts of its employees and may have stolen a bunch of sensitive personal information.

The financial biz handles property, casualty, and employee benefits insurance and advisory services at more than 130 locations across 22 US states. The Hilb Group did not immediately respond to The Register's inquiries about the extent of the intrusion nor how the thieves were able to get at such personal info.

What details are available are a little vague but worrying. In a notification to the Maine Attorney General's office on Thursday, the biz said miscreants accessed people's first and last names and sensitive financial data and credentials.

Specifically, we're told: "Financial Account Number or Credit/Debit Card Number (in combination with security code, access code, password or PIN for the account)." That notification includes a sample letter to those affected by the security breach, which states the stolen data was limited to people's names and Social Security numbers.

Either way, not a good look for an outfit that claims to help people mitigate and manage risk.

Hilb says it discovered "suspicious activity" related to employee email accounts around January 10. After doing some digging, and bringing on a third-party incident response firm, the insurance brokerage determined someone broke into those inboxes between December 1, 2022 and January 12, 2023. Months and months ago, in other words. After that, Hilb said it tried to figure out what data the intruders had access to.

"We then began a thorough review of the contents of the email accounts in order to determine the type(s) of information contained within the accounts, and to whom that information related," the security breach notification letter [PDF] stated.

• Critical Apache ActiveMQ flaw under attack by 'clumsy' ransomware crims
• Okta tells 5,000 of its own staff that their data was accessed in third-party breach
• Boeing acknowledges cyberattack on parts and distribution biz
• Ransomware crooks SIM swap medical research biz exec, threaten to leak stolen data

It said it completed this review on July 28, and then started locating affected individuals, which took another few months, apparently. And then on October 9, Hilb says, it began sending out letters to 81,539 folks notifying them that their personal and financial data was potentially stolen.

Hilb said upon discovering the intrusion it "immediately" secured the compromised email accounts, began a thorough investigation, and "implemented additional technical safeguards to enhance the security of information in our possession and to prevent similar incidents from happening in the future." So that's all right then.

The Register will update this story if and when Hilb responds.

To compensate for any stolen financial data, the insurance group is offering affected folks the usual free credit monitoring and identity protection services. ®