Prudential Insurance Company of America says MOVEit Transfer hack impacted 320k customers

The Prudential Insurance Company of America said it suffered a data breach after one of its vendors, Pension Benefit Information, suffered a cyber security incident as a result of the Clop ransomware group exploiting a zero-day vulnerability in the MOVEit Transfer web application.

New Jersey-based Prudential Insurance Company of America is a financial services company that provides retail and institutional clients with a wide range of services, including retirement planning, insurance, investment management, and more.

In a recent filing with the office of the Attorney General of Maine, Prudential said that one of its third-party vendors, Pension Benefit Information (PBI), was a victim of a significant data breach that had a cascading effect on the insurance company. PBI provides regulatory compliance and operational support services for insurance companies, pension funds, and other organisations, including the Prudential Insurance Company.

PBI, like several other organisations around the world, used Progress Software’s MOVEit file transfer application to send and receive data from some of its clients and was affected by malicious exploitation of a zero-day vulnerability in the file transfer software.

Soon after PBI became aware of the security incident involving the MOVEit file transfer application, it launched an internal investigation to understand the nature and scope of the security incident.

“Through our investigation, we learned that the third party accessed one of our MOVEit Transfer servers on May 29, 2023 and May 30, 2023 and downloaded data. We then conducted a manual review of our records to confirm the identities of individuals potentially affected by this event and their contact information to provide notifications. We recently completed this review and shared the findings with our impacted customers,” the company said.

The compromised data included names, addresses, dates of birth, phone numbers, and social security numbers. PBI’s notice of data breach, however, confirms that Prudential’s information systems and operations were not impacted by the incident.

PBI initially said in a filing with the office of the Maine Attorney General that about 371,359 individuals were affected by the data security incident. The company later said in a separate filing with the U.S. Department of Health and Human Services Office for Civil Rights that the incident impacted at least 1,209,825 individuals.

Likewise, in the first filing, Prudential said that only 89 individuals were impacted by the incident but later revised the number in a second filing with the Maine Attorney General’s office to state that at least 320,840 individuals were affected by the data breach.

PBI says it is providing two years of complimentary credit monitoring and identity restoration services through Kroll to all affected individuals and has set up a hotline where impacted clients can call and get their queries answered.