Responding to a massive cyber-attack at a multi-national insurance broker



A multi-national insurance broker faced a severe ransomware attack, triggering a partial network shutdown and massive data exfiltration. The threat actor demanded immediate attention and a sophisticated, creative, strategic response.


  • CRA’s Forensic Services Practice leveraged sophisticated endpoint management tools, deployed across 35,000 endpoints, to provide comprehensive asset visibility and leading endpoint detection and response tools to accelerate the hunt for threats. Using our proprietary scripts, we quickly identified and halted malicious activities and assisted with effective threat actor negotiations.
  • By using statistical sampling, our team was able to defensibly reduce the review population from 3.3 million to 1.3 million documents, mitigating cost and accelerating time to notification.
  • Our analytics and document review teams reviewed these documents, and consolidated the data associated with 47 million entries down to approximately 4 million unique entries after concatenation and deduplication.


Our rolling deliverables supported a unique dual notification effort: 1) substitute notice to generally alert impacted individuals quickly and 2) timely specific notice to individuals after our sampling and analytics workflows were completed. In addition, the client’s regulator indicated that they took particular comfort upon learning that our team was conducting the investigation.

The team was co-led by Kristofer Swanson, Vice President and Forensic Services Practice Leader and Aniket Bhardwaj, Vice President, with invaluable assistance from colleagues including Riley Burningham, Carlo Lakay, Rob Lay, Jordan Kraner, Peter Clarke, Karlin Thomas, Peter Stavroplos, Kaya Overholtzer, Kieran Lavrich,  David Lee, Tim Baklanov,  Yung Han Yoon, Ronan Roque,  Jacob Feldman, Hugo Trivino, and Zach Wendler.

Meet our team