40 year-old Richard Neale has been sentenced to 18 months in jail after pleading guilty to four cyber crimes as part of a “revenge hack” on his former company, BBC reports.
Neale co-founded and served as director of the cyber security firm Esselar, which provided security services to Aviva. He begrudgingly sold his shares and left the firm in 2013, apparently over disagreements arising from an insurance payment.
In order to exact revenge on Esselar, Neale hacked Aviva’s electronic networks on a night when Esselar was holding a security demonstration for the insurer. In doing so, he erased all the contents and data of around 900 company-issued iPhones.
The smartphones were sent a message, riddled with errors and that read “it maks my hart bled to say good by lik this, love u mobile iron,” according to The Register.
Mobileiron is an administrative server that helps manage employee Bring Your Own Devices programs. Its server was forced to shut down after the attack.
Aviva has since dropped Esselar as a service provider, a contract worth over $1.6 million annually. The insurer maintains that Neale did not access any sensitive information and that its cyber infrastructure was secure.
“The issue was specific to iPhones and none of Aviva's business data was accessed or lost. Someone gained access to a third party supplier, which also enabled them to reset mobile devices for some Aviva users,” Aviva said in a statement. “There were no financial losses or repercussions. It was an overnight issue and by the start of the next day we had begun to restore devices.”
Aviva has since required that any affected employees switch to a Blackberry 10.
While Aviva was able to recover quickly, this incident shines a new light on the importance of cyber security for brokerages, reinforced by an Ernst and Young report which states that insurance-related hacks are becoming “more pervasive, persistent and sophisticated.”
The organization recommends that insurance professionals create a “cyber risk center of excellence” that tracks ongoing threats and continually seeks to reinforce safeguard vulnerable digital infrastructure.
