Hackers have broken into The Hartford insurance company and installed password-stealing programs on several of the company's Windows servers.
In a warning letter sent last month to about 300 employees, contractors, and a handful of customers, the company said it discovered the infection in late February. Several servers were hit, including Citrix servers used by employees for remote access to IT systems. A copy of The Hartford's letter was posted earlier this week to the website of the Office of the New Hampshire Attorney General.
"It was a very small incident," said Debora Raymond, a company spokeswoman. The victims were mostly company employees. Less than 10 customers were affected by the malware, the W32-Qakbot Trojan, she said.
Qakbot has been around for about two years. Once installed it spreads from computer to computer in the network, taking steps to cover its tracks as it logs sensitive data and opens up back doors for the hackers to access the network.
With 28,000 employees worldwide, the 200-year-old Hartford, Connecticut, firm is one of the country's largest insurance companies.
The Hartford's letters are going out to "users who logged onto an infected server (either through a Citrix session or support purposes)" between 22 February and 28 Febuary 2011, The Hartford said in its letter.
"We do know that the virus has the potential to capture confidential data such as bank account numbers, Social Security numbers, user accounts/logins, passwords, and credit card numbers," the letter states.
It's not clear how The Hartford was infected, but hackers have been targeting staffers for years now - particularly those in IT - with targeted email attacks, trying to trick them into visiting malicious websites or downloading Trojan horse programs. Security experts say that these attacks are widespread and often methodically planned.
Despite the presence of keylogging software, the insurance company's lawyer, Debra Hampson, said that her company has "no reason to believe that any information has been or will be misused". Victims are being given two years' free credit monitoring.
Working with its antivirus vendor, The Hartford has cleaned up the infected servers and is working on locking down its systems. One of the steps, Hampson said: "Providing additional privacy and information security training for employees in order to warn them of the dangers of downloading files from unknown sources on the Internet."