The breach, which is under investigation by the FBI, led to losses of $6.85 million, although a portion of that has been recovered, administration officials said.
The cyberattack was carried out at the little-known Office of the Special Deputy Receiver, a nonprofit that works with the director of the Illinois Department of Insurance and exists largely to protect creditors and policyholders of financially troubled or insolvent insurance companies.
While state officials were saying little about the cyberattack, the office's former chief financial officer, Douglas Harrell, told the Tribune that his email was hijacked by hackers who then directed others how to invest money with what appeared to be approval of his superiors.
Harrell said a quick call to bank officials blocked a significant amount of the $6.85 million from being lost before all transactions became final.
The agency learned of the breach July 15 and contacted the Pritzker administration and the Illinois State Police, Harrell said.
The Department of Insurance places financially troubled or insolvent insurance companies with the Office of the Special Deputy Receiver to oversee receiverships, where remaining assets and distributions are handled with court oversight.
The special deputy receiver was formed as a nonprofit in 1991 to "administer the estates of insolvent or financially troubled Illinois insurance companies placed in judicially supervised receiverships," according to the Illinois Department of Insurance. The basic leftover pieces of these companies and their policyholders are put into what are called "estates."
The estates of two car insurance companies - Gateway Insurance Co. and Affirmative Insurance Co. - were victims of the cyberattack by a "criminal actor," said Caron Brookens, insurance department spokeswoman.
The Gateway Insurance estate suffered a loss of $2,148,728 resulting from wrongful wire transfers, officials said.
The Affirmative Insurance estate initially suffered a loss of $4,700,500 as a result of wrongful wire transfers, but $2,870,500 of Affirmative's money has been recovered, according to state officials and a company report.
The theft is the latest example of how online scammers see agencies in and around state government as fertile targets. Cyberattacks may have diverted more than a billion dollars in unemployment checks intended for people laid off during the coronavirus pandemic in Illinois alone.
A ransomware attack in April crippled computer systems in Democratic Attorney General Kwame Raoul's office, costing taxpayers millions to upgrade the office as it sought to regain its footing.
Other attacks have involved what's known as "SMS phishing" or "smishing," in which fake messages went to cellphones seeking to lure Illinois residents into clicking on phony warnings about driver's licenses so they would unwittingly fall victim to computer viruses.
In an interview, Harrell said an internal review of what happened at the Office of the Special Deputy Receiver showed that cybercriminals had taken over his email and spied on him for two or three weeks.
"They controlled my email and gave directions," Harrell said. "My folks thought I was directing them to invest in a certain way" - and that his bosses had approved the transactions, he said.
Harrell said he spotted the wrongful transactions "right away" and "called everybody within two minutes" to address the matter with senior management, including the top technology officials and lawyers.
He said he quickly called bankers handling the transactions and was able to halt the activity "for some of the wires," allowing them to recall some of the funds before transactions were completed.
"What's really a shame is criminals just taking advantage of COVID," said Harrell, saying he and others were working from home because of the virus. "Without a cybersecurity expert at our shop ... we weren't prepared. We just didn't know how to protect ourselves properly from cyberhackers," particularly away from the office.
"It's just fraud through and through," Harrell said.
Had Harrell and others been working in the office, he said, their face-to-face communication could have prevented the fraudulent activity the cybercriminals directed by using fake emails.
"I was a victim," Harrell said.
Harrell said he stayed with the agency a few months to help address the matter but also eventually offered, "as the highest-ranking financial person," to resign along with another top official, Joe Harris, who was controller.
The Department of Insurance declined to give any details of the cyberattack, and would not say how the money was recovered, saying it could compromise any investigation.
Brookens confirmed Harrell and Harris no longer worked at the Office of Special Deputy Receiver but declined to give any more information on why they had left the agency.
People familiar with the way the agency has worked over the years said one person would be able to initiate a wire transfer, but the process would take several steps on an account protected by a password. Another person would have to confirm the transaction.
Gateway sold commercial auto insurance, such as for taxis and limousines, and Affirmative sold personal auto insurance, Brookens wrote in response to Tribune inquiries.
Despite the cyberattack, policyholders may come out OK.
"The majority of the policyholders' claims are covered under the Illinois or other state guaranty funds and will therefore not be impacted," Brookens wrote. "Because the companies are in receivership and determination of final policyholder liability will take several years, the total number of policyholders potentially impacted is unknown."
Insurance companies under liquidation are backed by a guaranty fund that gets its money from active insurance companies, which are generally obliged to make up for losses from insolvent firms. This guaranty fund covers consumers' insurance related-losses.
The Office of the Special Deputy Receiver has insurance for cyber fraud, and recovery efforts are ongoing, Brookens said.
"Any exposed vulnerability has been assessed and (the receiver's office) has added additional protocol and controls to ensure that it can best safeguard against any future criminal cyberattacks," Brookens said.
Brookens also said the Office of Special Deputy Receiver "has taken appropriate steps to mitigate the breach and prevent it from happening again."
Even so, Rockford Republican Sen. Dave Syverson, minority spokesman for the upper chamber's Insurance Committee, said hearings should be held to review how the cyberattack happened and what can be done to prevent future problems.
Buckle Corp. of Jersey City, New Jersey, bought the charter of Gateway Insurance Co. for $4.2 million in 2020 through a court-supervised auction in Cook County, according to Marty Young, Buckle's co-founder and CEO.
The new company did not take over the assets or the liabilities of the Gateway estate, giving a fresh start to the new firm.
As of its Sept. 30 report, company officials said, the new Gateway Insurance Co. has 20,000 to 25,000 customers, across the country, including about 2% in Illinois.
Only about 100 of the old company's customers are among the current customers in the new company, according to Buckle.