Hackers using stolen insurance documents to tailor ransomware demands

Speaking on the Tosh Show podcast in September of this year, Alex Stamos, the former chief security officer at Facebook and Yahoo, said something revealing about the nature of cyber crime.

Cyber criminals, he said, particularly those utilising ransomware, don’t just pluck their ransom demands out of thin air – they often have a methodology in place for extracting the maximum value they can from each attack.

He explained: “Often what they’re asking for is how much you’re insured for. What they’ll do is they’ll hack in, encrypt your systems and steal your data, then they’ll ransom you for it – it’s called ransomware.

“And one of the things they look for when they break in is your insurance policy. They’ll figure out how much insurance you have and they’ll say, ‘oh my friend, you have £5m of insurance – just pay us the insured amount of money’.”

Stamos’ comments make clear that the issue of exploited insurance documents isn’t a theoretical one – with recent breaches confirming this – but just how serious of a problem could it be for the industry?

The scale of the problem

Given the reticence of victims to even acknowledge cyber attacks, let alone discuss their finer details, assessing how widespread the practice is can be challenging – though anecdotal evidence makes it clear that hackers will pounce on the opportunity when it arises.

In a 2025 attack on Storage King UK, hackers announced they had gained access to company datasets, employee information and insurance documents, while in a 2022 attack on Wootton Academy Trust in Bedfordshire, hackers went as far as to publicly divulge the insurance information they had stolen.

“We are very well informed and precise in our operations, so we know that Wootton have cyber insurance that reaches £500k,” they announced in a message to the victims.

The issue isn’t restricted to setting ransom demands, however. Anton Yunussov, head of cyber security practice at professional services firm Forvis Mazars, explained how the use of insurance documents gives hackers additional leverage.

He told Insurance Times: “Beyond coverage limits, it allows hackers to gain substantial additional bargaining power. They weaponise this intelligence during negotiations by understanding exclusions, what’s included, sub-limits, deductibles, claims procedures and can then apply pressure at precisely calibrated points.

“So, what hackers do is they calibrate business interruption tolerances, regulatory exposure, reputation and other vulnerabilities and use that as a weapon to extort.”

Data breach incidents are already incredibly costly for companies. Indeed, statistics from credit rating agency Morningstar DBRS showed that the average data breach cost for major industries is often in the multiple millions of pounds, with healthcare breaches topping the charts at a worrying £8.4m on average.

Impact on insurers

The financial leverage that insurance documents give to hackers is clear – and the impact is often passed on to insurers.

Public awareness of insurance coverage – such as in the Wootton Academy Trust incident – can lead to increased pressure for insureds to accept the ransom demands, especially in circumstances where the hackers are also threatening to release sensitive information.

Likewise, firms looking to avoid expensive business interruption costs – which hackers may know if they are not covered for – and the impact of failing to deliver products or services to third parties, may be more readily inclined to co-operate with criminals.

Factors such as these could increase insurer payouts greatly. Taking the Marks and Spencer (M&S) attack in 2025 as an example – for which there was no indication that the hackers had access to insurance documents – insurer Allianz could have found its coverage limits acting as a ransom target for the criminals.

M&S, which did not confirm if it had paid a ransom, reportedly had a £100m coverage limit with Allianz, a fact which hackers could have exploited given the roughly £300m business interruption impact the incident ultimately had.

As it happened, the payout from Allianz was believed to be somewhere in the region of £10m.

Planning ahead

With the rapidly changing technological landscape, it’s important for insurers to consider all possible evolutions of the ransomware market – including what would happen if hackers were to lose access to such documents.

Roger Franklin, partner and head of insurance disputes at law firm Edwin Coe, makes the point that reducing the bargaining accuracy of cyber criminals is a double edged sword. With largely inescapable ransomware tools, hackers have the potential to draw out painful negotiations.

Franklin explained: “The risk for the target is that if [ransom negotiations] go on any longer, they’ll suffer much larger losses than the amount of the ransom.

“Of course, that’s in the back of the mind of the insurers as well, because if they don’t pay the ransom, they’ll potentially be on the book for a large business interruption loss and all the third party claims that arise from it.”

An increased focus on costly business and supply-chain interruptions would be a challenge for insurers, especially given the perception of greenness and lack of penetration that the cyber market experiences.

On the other hand, longer negotiations can be an opportunity for victims to relaunch their systems and investigate the hackers.

“The longer it goes on, the more interaction you have to have with the party you’re blackmailing. If you can do it quickly, then there’s less chance of detection,” added Franklin.

These factors cause headaches for insurers but, worse still, with the financial incentives clear, hackers could turn their attention to stealing insurance information directly from insurers.

“I suspect that insurance firms would be a target for cyber attackers, specifically to get the insurance details,” Yunussov confirmed.

Rather than guessing at the technological changes the cyber market may see over the coming years, insurers and insureds alike should focus on a set of solid fundamental hygiene practices.

Yunussov concluded: “Basic cyber hygiene is still very important to protecting businesses from falling victim to ransomware – things like patching, multi-factor authentication, strong access control, detecting technology and incident response.

“That need hasn’t gone away, the investment in cyber security is still very much key to protecting your assets.”