A recent notification by Aon had DataBreaches wondering exactly what went on with their incident response. Consider their description of what happened:
What Happened?
On February 25, 2022, Aon identified a cyber incident that, upon investigation, impacted a limited number of systems. Once the incident was discovered, Aon immediately retained leading cybersecurity firms to assist in responding and help conduct a thorough investigation of the incident.The investigation revealed that an unauthorized third party accessed certain Aon systems at various times between December 29, 2020 – February 26, 2022. Findings from the investigation indicate the unauthorized third party temporarily obtained certain documents containing personal information from Aon systems during this period. Aon has taken steps to confirm that the unauthorized third party no longer has access to the data and Aon has no indication the unauthorized third party further copied, retained, or shared any of the data. We have no reason to suspect your information has or will be misused.
The third party “temporarily” obtained certain documents containing personal information? So documents exfiltrated between December 2020 and February 2022 weren’t in the threat actors’ possession for more than one year? What do they mean by “temporarily?”
And what do they mean that they have “no indication that the unauthorized third party further copied, retained, or shared any of the data.” Is absence of evidence evidence of absence? Or did they pay the threat actor to delete data? How can they say “We have no reason to suspect your information has or will be used?” Do they have reason to suspect it won’t be?
These types of notifications that are not fully transparent seem deceptive, at best.
DataBreaches sent an inquiry to Aon Saturday about the basis for their claims of “no reason to suspect” but received no reply by the time of this publication.
You can read their full notification template at the California Attorney General’s website.
In this case, the types of data involved in the breach included names and one or more of the following: Social Security number, driver’s license number, and, in a small number of cases, benefit enrollment information.
The incident was first disclosed by Aon in February in an SEC -K filing noted by Reinsurance News.