back to article Insurance firm Ardonagh Group disabled 200 admin accounts as ransomware infection took hold

Jersey-headquartered insurance company Ardonagh Group has suffered a potential ransomware infection. Informed sources whispered to The Register that the insurance firm had been forced to suspend 200 internal accounts with admin privileges as the "cyber incident" progressed through its IT estate. The UK's second largest …

  1. sanmigueelbeer Silver badge
    Facepalm

    200 admin accounts?

    Y'sure you have enough there, mate?

    1. chivo243 Silver badge
      Trollface

      Mind boggling... just boggling.

    2. Anonymous Coward
      Anonymous Coward

      We have 5 admins and 2 admin accounts...

      The admins don't work with admin accounts on a standard basis, only when they actually need to change system settings somewhere.

      1. Anonymous Coward
        Anonymous Coward

        RBAC

        With 5 admins, there should be 5 accounts, where each can use role-based access control to take on a privileged role when the account owner needs it. If the admins share those 2 accounts you don't have a proper audit trail of who did what.

        1. robgr

          Re: RBAC

          Not true. Products like CyberArk allow individual users to safely share accounts and still provide full audit capability. The more accounts you have then the bigger the attack vector

        2. JCitizen
          Stop

          Re: RBAC

          News to me; we had 1 admin account, the CIO, and he was the only one that needed the power to do ANYTHING on the network. We were under HIPAA and they didn't want to take any risk at all. Of course the organization was a big one, and had a CEO and many administrator positions of several kinds, but all of those only required the usual data entry, email, etc., and the thought they'd need any more is rather ridiculous, if you ask me.

      2. sitta_europea

        "We have 5 admins and 2 admin accounts...

        The admins don't work with admin accounts on a standard basis, only when they actually need to change system settings somewhere."

        Yeah, but they know what they're doing.

    3. Pascal Monett Silver badge

      My thought exactly. There are at least 195 accounts too many that have that level of access.

      They should start by pruning that.

      Unless, of course, that level of access is not controlled by web firewalls and therefor upper management can continue surfing - uh - specific productivity websites, yeah, that's it.

    4. Anonymous Coward
      Anonymous Coward

      > 200 admin accounts?

      > Y'sure you have enough there, mate?

      I assume they meant users with local admin access, not 200 domain admins. Even if they had zero users with local admin access, ransomeware doesn't seem to find that much of a problem these days.

    5. RM Myers

      200 admin accounts

      According to their website, they have over 100 offices. Maybe they have two admins per office? Also, given the number of companies they have bought recently, I wouldn't be surprised if there aren't duplicate IT areas. I know when my former employer bought out other companies, the IT departments were merged years after the acquisitions were completed, and also long after we had some access to their networks.

    6. jake Silver badge

      100 offices, 5000 employees.

      I can see where they'd have 200 admin accounts. It's a side effect of a lifetime of being brainwashed by the Windows way of doing things. Sadly, this is quite common in today's business world.

      Note: I don't condone it. Nor do I practice it. Just reporting what I've seen. And occasionally fixed, where allowed.

  2. Anonymous Coward
    Anonymous Coward

    They insured for this?

    1. lglethal Silver badge
      Holmes

      Almost certainly, and their insurer is probably insured for it as well, and theirs, and theirs, and so on.

      It's Insurance Companies all the way down...

      1. KittenHuffer Silver badge

        That's a given since it's not easy to get lower than an insurance company!!!

      2. Steve K

        Reinsurance spiral!

        Yes, the great Reinsurance Spiral galaxy!

        1. sitta_europea

          Re: Reinsurance spiral!

          "Yes, the great Reinsurance Spiral galaxy!"

          Wasn't it a fellow called Ponzi who first did that?

  3. sitta_europea

    "The incident was IDENTIFIED as a result of the routine comprehensive monitoring we have in place. ..."

    A shame it wasn't PREVENTED by all the routine security they have in place.

    (My emphasis.)

    1. Imhotep

      We Monitored Our Email

      The demand for ransom is also a clue.

    2. Claptrap314 Silver badge

      Until we have an after-action report, we really cannot say if their security was proper or not.

      If you believe your **** doesn't stink, allow me to assure you it does. Build systems so that single failures don't result in total compromise. Design your systems to permit tracking of intrusions.

      Because no fortress stands forever.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like