Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack, Breach and Ransomware.

Total Financial Loss: The total financial loss from these incidents is estimated to be $0.

Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with kroll, and communication strategy with public advisory (via media reports), communication strategy with encouraging customers to check exposure via haveibeenpwned and google password checkup, and communication strategy with google security advisory to 2.5b users, and incident response plan activated with yes (for insured firms with preparedness), and third party assistance with cyber insurance providers (e.g., allianz), third party assistance with forensic investigators, third party assistance with legal counsel, and containment measures with network segmentation, containment measures with isolation of affected systems, containment measures with revoking compromised credentials, and remediation measures with patching vulnerabilities, remediation measures with enhanced authentication (mfa), remediation measures with data recovery from backups, and recovery measures with business continuity plans, recovery measures with supplier risk assessments, recovery measures with customer notification (if data breached), and communication strategy with transparent disclosure (for insured firms), communication strategy with regulatory reporting (dora/nis2 compliance), and network segmentation with critical for limiting lateral movement, and enhanced monitoring with early detection reduced losses by 1,000x, and and third party assistance with forensic investigators (implied), and remediation measures with identity protection and credit monitoring services (allianz: 2 years; westjet: 2 years; motility: 12 months), and communication strategy with public disclosures (maine ag filings), customer notifications, advisories to exercise caution, and and third party assistance with cybersecurity experts (unnamed), third party assistance with kroll (identity monitoring services), and law enforcement notified with fbi, and containment measures with isolation of compromised third-party crm, containment measures with internal investigation, and recovery measures with customer notifications (began 2025-08-01), recovery measures with offer of 2 years of complimentary identity monitoring (kroll), and communication strategy with maine attorney general’s office filing, communication strategy with direct customer notifications, communication strategy with public advisory on protective measures, and communication strategy with public disclosure of the breach, and and third party assistance with cyber insurance providers (e.g., allianz commercial), third party assistance with law enforcement (international coordination), and and containment measures with early detection/response (reduces costs by 1,000x), containment measures with business continuity plans, and .

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Likely via compromised Salesforce instances, IT Helpdesk Impersonation via Vishing Calls, Compromised Credentials (Most Common)Phishing EmailsFake Help Desk Calls (e.g., Scattered Spider)Exploited Vulnerabilities in Supply Chain, Third-party CRM provider (Allianz Life), Third-Party Cloud-Based CRM System (via Social Engineering) and Social Engineering (Employee Impersonation)Digital Supply Chain ExploitsUnpatched Vulnerabilities (SMEs).

Average Financial Loss: The average financial loss per incident is $0.00.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal Information, Personally Identifiable Information (Pii), Financial Identification Data (Tax Ids, Ssns), Contact Information, Business Partner Data, , Personally Identifiable Information (Pii), Corporate Partner Data, , Personally Identifiable Information (Pii), Financial Records, Corporate Intellectual Property, , Names, Addresses, Dates Of Birth, Ssns (Allianz Life), Names, Contact Details, Reservation/Travel Documents, Relationship Data (Westjet), Full Names, Home/Email Addresses, Phone Numbers, Dates Of Birth, Ssns, Driver’S License Numbers (Motility), , Personally Identifiable Information (Pii), Sensitive Personal Data, , Sensitive Personal Data, , Personally Identifiable Information (Pii), Corporate Data (Exfiltrated In 40% Of Large Claims) and .

Incident Response Plan: The company's incident response plan is described as Yes (for insured firms with preparedness), , , .

Third-Party Assistance: The company involves third-party assistance in incident response through Kroll, Cyber Insurance Providers (e.g., Allianz), Forensic Investigators, Legal Counsel, , Forensic investigators (implied), , Cybersecurity Experts (Unnamed), Kroll (Identity Monitoring Services), , Cyber Insurance Providers (e.g., Allianz Commercial), Law Enforcement (International Coordination), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Patching Vulnerabilities, Enhanced Authentication (MFA), Data Recovery from Backups, , Identity protection and credit monitoring services (Allianz: 2 years; WestJet: 2 years; Motility: 12 months), .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by network segmentation, isolation of affected systems, revoking compromised credentials, , isolation of compromised third-party crm, internal investigation, , early detection/response (reduces costs by 1,000x), business continuity plans and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Business Continuity Plans, Supplier Risk Assessments, Customer Notification (if data breached), , Customer Notifications (Began 2025-08-01), Offer of 2 Years of Complimentary Identity Monitoring (Kroll), .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through 1,500+ privacy litigation cases (US, 2024).

Key Lessons Learned: The key lessons learned from past incidents are An essential shift in how businesses approach risk management, prioritizing a comprehensive understanding of both new and old threats to maintain operational resilience and security.Ransomware groups may leak data even if ransom is paid; assume worst-case scenarios in response planning.,Salesforce instances can be high-value targets for mass data exfiltration.,Proactive customer communication and tools (e.g., HaveIBeenPwned) are critical for mitigating post-breach risks.,Multi-factor authentication and password hygiene are essential to prevent downstream phishing/identity theft.Vishing attacks leveraging deepfake/AI voice cloning are increasingly effective and difficult to detect.,Collaboration between cybercrime groups (e.g., ShinyHunters, Scattered Spider, Lapsus$) amplifies threat capabilities.,Targeting cloud platforms like Salesforce enables access to multiple victims' data in a single breach.,Traditional MFA methods (e.g., SMS codes) are vulnerable to social engineering; phishing-resistant MFA (e.g., number matching, geo-verification) is critical.,Employee training must include scenario-based vishing simulations to improve detection rates.SMEs are now primary targets due to weaker defenses compared to large enterprises.,Data exfiltration is more profitable and easier than encryption for attackers.,Basic controls (MFA, patching, backups) drastically reduce financial impact.,Supply chain and cloud security are critical but often overlooked.,Tabletop exercises and business continuity planning improve resilience.,Regulatory compliance (DORA, NIS2) will raise the bar for mid-sized firms.Early detection/containment reduces costs exponentially (1,000x lower impact).,Business continuity plans mitigate >50% of claim costs (business interruption).,SMEs remain highly vulnerable (88% of breaches vs. 39% in large firms).,Double extortion (ransomware + data theft) is rising (40% of large claims in H1 2025).,Cyber insurance improves resilience (70% loss impact increase for insureds vs. 250% for uninsured over 4 years).,Seasonal risks (e.g., Black Friday) require heightened vigilance.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Conduct regular patching and backup testing., Assess third-party/supplier cybersecurity risks., Implement MFA and network segmentation to limit lateral movement., Train employees on social engineering (e.g., phishing, fake help desk calls)., Use tabletop exercises to test incident response plans., Adopt cyber insurance to mitigate financial and operational risks., Monitor dark web for stolen credentials/data., Prioritizing digital security and comprehensive risk management. and Prepare for DORA/NIS2 compliance if operating in the EU..

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Allianz Risk Barometer, and Source: Maine Office of the Attorney GeneralDate Accessed: 2024-12-10, and Source: TechRadar, and Source: BleepingComputer, and Source: HaveIBeenPwnedUrl: https://haveibeenpwned.com, and Source: Google Password CheckupUrl: https://passwords.google.com/checkup, and Source: The Conversation (Article on ShinyHunters Vishing Attacks), and Source: Google Security Advisory (2.5B User Alert), and Source: Telegram Post by ShinyHunters (Allianz Life Data Dump)Date Accessed: 2024-08-mid, and Source: Allianz Cyber Security Resilience 2025 ReportUrl: https://www.allianz.com/en/press/news/reports/250627-cyber-security-resilience-2025.htmlDate Accessed: 2025-06-27, and Source: Allianz Commercial - Global Cyber Insurance Market ProjectionsUrl: https://commercial.allianz.com/en/insights/press-releases/cyber-insurance-market-to-double-by-2030.htmlDate Accessed: 2025-06-30, and Source: The RegisterUrl: https://www.theregister.com/2023/10/XX/allianz_westjet_motility_breaches/, and Source: Maine Attorney General’s Office (Allianz Life filing), and Source: Maine Attorney General’s Office (WestJet filing), and Source: Maine Attorney General’s Office (Motility filing), and Source: Maine Attorney General’s Office Filing, and Source: Have I Been Pwned (Breach Monitoring Service)Url: https://haveibeenpwned.com, and Source: Allianz Commercial - Cyber Security Resilience Outlook (2025 Mid-Year Report)Date Accessed: 2025-06-30, and Source: Verizon Data Breach Investigations Report (DBIR).

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Advisory (Via Media Reports), Encouraging Customers To Check Exposure Via Haveibeenpwned And Google Password Checkup, Google Security Advisory To 2.5B Users, Transparent Disclosure (For Insured Firms), Regulatory Reporting (Dora/Nis2 Compliance), Public Disclosures (Maine Ag Filings), Customer Notifications, Advisories To Exercise Caution, Maine Attorney General’S Office Filing, Direct Customer Notifications, Public Advisory On Protective Measures and Public disclosure of the breach.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Check Exposure Via Haveibeenpwned Or Google Password Checkup., Be Vigilant For Phishing Attempts And Identity Theft (E.G., Fraudulent Loans, Tax Filings)., Consider Freezing Credit Reports If Ssns Were Exposed., , Google'S Global Security Advisory To Users, Google Urged Users To Enable Advanced Security Measures (E.G., Phishing-Resistant Mfa), , Mid-Sized Firms Urged To Adopt Cyber Insurance And Basic Controls., Retailers Advised To Secure Customer Data And Supply Chains., Eu Organizations Must Prepare For Dora/Nis2 Compliance Deadlines., Monitor Financial Accounts For Fraud (If Data Breached)., Report Suspicious Communications (E.G., Phishing, Fake Support Calls)., , All Companies Notified Affected Individuals And Offered Credit Monitoring, Westjet: Encouraged Staff/Customers To Exercise Caution; Allianz/Motility: Provided Identity Protection Services, , Fbi Notification, Public Disclosure Via Maine Ag Office, Written Notifications Sent To Affected Individuals (Starting 2025-08-01)., Offer Of 2 Years Of Kroll Identity Monitoring Services (Single-Bureau Credit Monitoring, Fraud Consultation, Identity Theft Restoration)., Guidance On Protective Measures (Mfa, Credit Freezes, Vigilance Against Phishing)., , Heightened Risk During Holiday Seasons (Black Friday To Year-End)., Smes Urged To Adopt Cyber Insurance And Basic Hygiene Measures., Large Firms Advised To Share Threat Intelligence With Supply Chains., Retail Customers: Monitor Financial Accounts For Fraud During Holidays., Sme Customers: Implement Multi-Factor Authentication (Mfa) And Backups. and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Kroll, Cyber Insurance Providers (E.G., Allianz), Forensic Investigators, Legal Counsel, , Early detection reduced losses by 1,000x, Forensic Investigators (Implied), , Cybersecurity Experts (Unnamed), Kroll (Identity Monitoring Services), , Cyber Insurance Providers (E.G., Allianz Commercial), Law Enforcement (International Coordination), , .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Migrate To Phishing-Resistant Mfa Across All Systems., Implement Behavioral Analytics For Voice-Based Authentication Attempts., Establish Cross-Company Red-Team Exercises Focusing On Vishing Scenarios., Enhance Logging/Monitoring For Unusual Access Patterns In Cloud Platforms., Develop Playbooks For Responding To Collaborative Cybercrime Group Attacks., , Mandate Mfa And Least-Privilege Access., Implement Network Segmentation And Zero-Trust Principles., Conduct Regular Phishing Simulations And Security Training., Audit Third-Party Vendors For Cybersecurity Risks., Deploy Edr/Xdr For Early Threat Detection., Test Backups And Incident Response Plans Quarterly., , Credit Monitoring Services, Customer Notifications, , Mandate Cyber Insurance For Smes In High-Risk Sectors., Expand Law Enforcement Coordination For Ransomware Disruption., Promote Adoption Of Nist/Cis Controls For Baseline Security., Incentivize Threat Intelligence Sharing Among Industries., .

Ransom Payment History: The company has Paid ransoms in the past.

Last Attacking Group: The attacking group in the last incident were an ShinyHuntersScattered SpiderLapsu$, ShinyHuntersScattered Spider (UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, Muddled Libra)Lapsus$, Scattered SpiderOpportunistic Cybercriminal GroupsInitial Access Brokers (IABs)Ransomware-as-a-Service (RaaS) Affiliates, Scattered Spider (WestJet)Unnamed actor (Allianz Life)Unnamed actor (Motility Software Solutions) and ShinyHunters (suspected).

Most Recent Incident Detected: The most recent incident detected was on 2024-04-15.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-06-30.

Most Significant Data Compromised: The most significant data compromised in an incident were Personal Information, Names, Addresses, Phone Numbers, Dates of Birth, Tax Identification Numbers, Social Security Numbers, Business Partner Records, , Customer Records, Corporate Partner Data, , Personal Data (Retailers), Customer Records, Payment Information, Sensitive Corporate Data, , , Names, Addresses, Dates of Birth, Social Security Numbers, Email Addresses, , Sensitive Personal Data, Sme Ransomware Breaches: 88% (vs. 39% in large firms), Large Claims With Data Theft: 40% (up from 25% in 2024), Personally Identifiable Information: True, , Sme Ransomware Breaches: 88% (vs. 39% in large firms), Large Claims With Data Theft: 40% (up from 25% in 2024), Personally Identifiable Information: True and .

Most Significant System Affected: The most significant system affected in an incident was Salesforce Instances and Salesforce Customer Management Platform and Retailer IT SystemsManufacturing Supply ChainsProfessional Services FirmsCloud Environments and CRM systems (Allianz Life)Online services and mobile app (WestJet)Internal systems (Motility Software Solutions) and Third-Party Cloud-Based CRM System.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Kroll, cyber insurance providers (e.g., allianz), forensic investigators, legal counsel, , forensic investigators (implied), , cybersecurity experts (unnamed), kroll (identity monitoring services), , cyber insurance providers (e.g., allianz commercial), law enforcement (international coordination), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Network SegmentationIsolation of Affected SystemsRevoking Compromised Credentials, Isolation of Compromised Third-Party CRMInternal Investigation, Early Detection/Response (Reduces Costs by 1 and000x)Business Continuity Plans.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Business Partner Records, Personal Data (Retailers), Payment Information, Email Addresses, Sensitive Personal Data, Personal Information, Addresses, Customer Records, Tax Identification Numbers, Names, Dates of Birth, Phone Numbers, Corporate Partner Data, Sensitive Corporate Data and Social Security Numbers.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 85.3M.

Highest Ransom Paid: The highest ransom paid in a ransomware incident was Likely not paid (data leaked).

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was 1,500+ privacy litigation cases (US, 2024).

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Seasonal risks (e.g., Black Friday) require heightened vigilance.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement stricter access controls and anomaly detection for cloud platforms., Implement MFA and network segmentation to limit lateral movement., Collaborate with industry peers to share threat intelligence on emerging vishing tactics., Leverage cyber insurance for risk transfer and incident response support., Implement phishing-resistant MFA (e.g., FIDO2, number matching, geo-verification)., Implement robust detection/response capabilities (e.g., EDR, SIEM)., Remain vigilant against phishing and credential stuffing attempts., Monitor dark web/Telegram channels for leaked credentials or extortion announcements., Conduct regular patching and backup testing., Educate customers on phishing risks and fraud prevention., Enforce multi-layer verification for sensitive actions (e.g., on-camera ID checks, challenge questions not publicly available)., Deploy AI-based anomaly detection for voice communications in call centers/IT support., Adopt cyber insurance to mitigate financial and operational risks., Monitor dark web/Telegram channels for further leaks., Prepare for DORA/NIS2 compliance if operating in the EU., Regularly review financial statements for unauthorized activity., Offer credit monitoring/identity theft protection to affected customers., Assess third-party/supplier cybersecurity risks., Train employees on social engineering (e.g., phishing, fake help desk calls)., Monitor dark web for stolen credentials/data., Develop and test business continuity plans to reduce interruption costs., Conduct regular vishing simulation exercises for employees, especially IT helpdesk and support teams., Enhance employee training to counter social engineering (e.g., impersonation attacks)., Conduct a forensic audit of Salesforce and related systems., Adopt zero-trust principles, particularly for cloud-based CRM/ERP platforms., Place fraud alerts or credit freezes with major credit bureaus., Use tabletop exercises to test incident response plans., Monitor dark web for stolen data (especially for SMEs)., Prioritizing digital security and comprehensive risk management., Strengthen data privacy compliance to avoid regulatory fines., Prepare for seasonal threats (e.g., holiday shopping periods)., Prioritize supply chain security and third-party risk management., Enable multi-factor authentication (MFA) on sensitive accounts. and Third-party vendors should enhance security protocols against social engineering attacks..

Most Recent Source: The most recent source of information about an incident are Allianz Risk Barometer, The Register, BleepingComputer, Allianz Commercial - Cyber Security Resilience Outlook (2025 Mid-Year Report), Maine Attorney General’s Office (WestJet filing), Google Security Advisory (2.5B User Alert), Allianz Cyber Security Resilience 2025 Report, Allianz Commercial - Global Cyber Insurance Market Projections, Telegram Post by ShinyHunters (Allianz Life Data Dump), TechRadar, HaveIBeenPwned, Have I Been Pwned (Breach Monitoring Service), Maine Attorney General’s Office (Motility filing), Google Password Checkup, The Conversation (Article on ShinyHunters Vishing Attacks), Maine Office of the Attorney General, Verizon Data Breach Investigations Report (DBIR), Maine Attorney General’s Office (Allianz Life filing) and Maine Attorney General’s Office Filing.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://haveibeenpwned.com, https://passwords.google.com/checkup, https://www.allianz.com/en/press/news/reports/250627-cyber-security-resilience-2025.html, https://commercial.allianz.com/en/insights/press-releases/cyber-insurance-market-to-double-by-2030.html, https://www.theregister.com/2023/10/XX/allianz_westjet_motility_breaches/, https://haveibeenpwned.com .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (publicly disclosed, but no official resolution details).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Google's global security advisory to users, Mid-sized firms urged to adopt cyber insurance and basic controls., Retailers advised to secure customer data and supply chains., EU organizations must prepare for DORA/NIS2 compliance deadlines., All companies notified affected individuals and offered credit monitoring, FBI Notification, Public Disclosure via Maine AG Office, Heightened risk during holiday seasons (Black Friday to year-end)., SMEs urged to adopt cyber insurance and basic hygiene measures., Large firms advised to share threat intelligence with supply chains., .

Most Recent Customer Advisory: The most recent customer advisory issued were an Check exposure via HaveIBeenPwned or Google Password Checkup.Be vigilant for phishing attempts and identity theft (e.g., fraudulent loans, tax filings).Consider freezing credit reports if SSNs were exposed., Google urged users to enable advanced security measures (e.g., phishing-resistant MFA), Monitor financial accounts for fraud (if data breached).Report suspicious communications (e.g., phishing, fake support calls)., WestJet: Encouraged staff/customers to exercise caution; Allianz/Motility: Provided identity protection services, Written notifications sent to affected individuals (starting 2025-08-01).Offer of 2 years of Kroll Identity Monitoring Services (single-bureau credit monitoring, fraud consultation, identity theft restoration).Guidance on protective measures (MFA, credit freezes, vigilance against phishing). and Retail customers: Monitor financial accounts for fraud during holidays.SME customers: Implement multi-factor authentication (MFA) and backups.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Third-Party Cloud-Based CRM System (via Social Engineering), Likely via compromised Salesforce instances and IT Helpdesk Impersonation via Vishing Calls.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Often <24 hours (rapid movement to ransomware).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Unspecified vulnerability in Salesforce or related systemsPossible insufficient access controls or monitoringFailure to prevent data exfiltration post-compromise, Over-reliance on traditional MFA (SMS/email codes) susceptible to vishing.Lack of employee awareness/training on AI-enhanced social engineering.Insufficient verification protocols for high-privilege access requests.Cloud platform (Salesforce) becoming a single point of failure for multiple organizations' data., Lack of Basic Controls (MFA, Patching) in SMEsOver-Reliance on Perimeter Security (No Segmentation)Poor Employee Training on Social EngineeringSupply Chain/Vendor Security GapsDelayed Detection and Response, Successful social engineering attack targeting third-party CRM vendor.Impersonation of IT personnel to gain unauthorized remote access.Exploitation of Salesforce Data Loader tool (suspected)., Inadequate Detection/Response (SMEs)Over-reliance on Digital Supply ChainsLack of Employee Awareness (Social Engineering)Seasonal Operational Strains (e.g., Holiday Staffing).

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Migrate to phishing-resistant MFA across all systems.Implement behavioral analytics for voice-based authentication attempts.Establish cross-company red-team exercises focusing on vishing scenarios.Enhance logging/monitoring for unusual access patterns in cloud platforms.Develop playbooks for responding to collaborative cybercrime group attacks., Mandate MFA and least-privilege access.Implement network segmentation and zero-trust principles.Conduct regular phishing simulations and security training.Audit third-party vendors for cybersecurity risks.Deploy EDR/XDR for early threat detection.Test backups and incident response plans quarterly., Credit monitoring services, customer notifications, Mandate cyber insurance for SMEs in high-risk sectors.Expand law enforcement coordination for ransomware disruption.Promote adoption of NIST/CIS Controls for baseline security.Incentivize threat intelligence sharing among industries..