Recovering 314,000 PLN from a policy after a ransomware attack

The challenge

A ransomware attack on March 12, 2024, paralyzed 42 key servers in just 3 hours. Every day of downtime generated 87,400 PLN in real operational loss. After restoring the systems, the insurer rejected a compensation claim for 314,000 PLN. They argued that one of the VPN ports did not have active two-factor authentication, which allegedly broke the policy terms. The board was left with debts and a sense of injustice.

Our approach

Our 3-person team conducted a deep analysis of 214 GB of system logs from the fateful week. We checked what works and what doesn't in the arguments of the insurer's lawyers. We focused on hard technical evidence. We showed that the hackers' entry occurred through a completely different path, which was fully secured and compliant with the contract. We know the realities of Polish companies and know that the devil is in the technical details, which loss adjusters often do not understand.

The solution

We prepared a 28-page technical report that left no doubt about the course of the attack. The documentation included a network traffic map and evidence that 97.3% of systems had current security patches on the day of the incident. We confronted these facts with the insurer's legal department during two mediation meetings. Additionally, we implemented a new access management system to close the gap that had actually become a gateway for the attackers.

Results

The insurer withdrew its denial after receiving our analysis and paid the full compensation amount with interest. Logistyk-Pol regained financial liquidity, and the board received a clear protection strategy for the future.

Timeline

1. April 2024
   Forensic analysis of server logs and policy verification.
2. May 2024
   Submission of technical report and formal appeal of the decision.
3. June 2024
   Negotiations with the insurer and fund transfer to client's account.