Canada Life’s confirmation that a single employee account was used to access the personal data of up to 70,000 people can serve as a case study in how modern insurance operations – a mix of legacy systems, cloud apps and third‑party vendors – are giving attackers exactly what they want.
For Scott Walsh, security researcher at Coalition, the Canada Life incident is a warning shot for the entire sector.
“Insurance runs on multiple different touchpoints, including agents and third‑party vendors, that are all tied into a combination of legacy systems and modern SaaS technologies,” Walsh told Insurance Business. “That mix of old tech, third parties, and high‑pressure customer service via claims infrastructure creates many soft spots for attackers to exploit.”
What makes insurance a particularly strategic target is that these organizations also often hold unusually rich data, including but not limited to PII, financial information, and health details, he said.
“This makes them high‑value targets for attackers, especially as a starting point to execute further supply chain attacks on the insurers’ customers and partners.”
In Canada Life’s case, criminal group ShinyHunters claims to have accessed millions of records through a Salesforce environment tied to an employee account, while the insurer has confirmed exposure for about 70,000 people. Whatever the final number, the path in looks uncomfortably familiar.
Walsh’s core criticism is that, even now, many large insurers still treat identity and access as an afterthought.
“Many employees at the world’s largest insurance companies still rely on repeated, basic passwords or easy‑to‑phish MFA for high‑value apps (like Salesforce), rather than phishing‑resistant MFA, device checks, and conditional access,” he said.
This, he explained, makes stolen credentials extremely impactful for hackers, effectively working like a master key to all systems.
Once an attacker has that “master key,” the difference between a minor incident and an enterprise‑level breach can come down to a handful of settings and access rules. Walsh argues that insurers need to move much faster towards zero‑trust principles.
“Insurance providers need to focus on implementing zero‑trust best practices, meaning employees are only given access to the applications absolutely necessary for their roles,” he said.
Help desks and vendors remain particular weak points.
Walsh said that attackers are regularly succeeding by tricking help desks into resetting credentials or by coming in through less‑secure third‑party environments. “That shows that identity verification, least‑privilege access for vendors, and monitoring of privileged actions are still immature.”
He pointed to last summer’s Scattered Spider campaign against the insurance sector as another example of attackers abusing weak identity controls and support processes.
One of the more troubling aspects of the Canada Life incident is the reported path into a Salesforce environment. Walsh sees that as part of a broader shift in attacker focus.
“ShinyHunters reportedly got in through a single employee account and then into Canada Life’s Salesforce environment, with claims of access to 5.6 million records and confirmed exposure for ~70,000 customers,” he said. “The group is systematically targeting Salesforce across multiple organizations, demonstrating that CRM and other SaaS platforms need the same level of segmentation, monitoring, and hardening as core infrastructure.”
Too often, he suggested, insurers still think of CRM and SaaS platforms as “just tools” sitting on top of core systems. In reality, these platforms now hold and process vast amounts of customer, adviser and partner data – and are directly reachable from the internet.
If a single identity in one of those systems can see or export millions of records, the organisation has created exactly the kind of concentration of access that modern attackers are looking for.
For other insurers and their customers, Walsh said the Canada Life breach underlines one key lesson.
“One compromised account can cascade to become an enterprise‑level incident,” he said.
He believes the industry should assume that help desks, call centres and outsourced IT providers are being probed continuously by sophisticated social engineers, and that attackers are specifically looking for ways to reset or bypass MFA.
“Insurers (and their customers) must assume that help desks, call centers, and outsourced IT are being probed by sophisticated social engineers,” Walsh said. “Moving forward, organizations should enforce multi‑factor verification for any credential/MFA reset, no exceptions for urgent VIPs.”
He also argues that high‑value users – those with access to large data sets or powerful admin functions – should be moved to much stronger authentication methods.
“They should also move high‑value users to phishing‑resistant MFA (FIDO2, WebAuthn, hardware tokens) and segment identity so no single account can see or export millions of records,” he said.
