The compromise of PBI Research and The Berwyn Group’s MOVEit installation has resulted in the theft of data belonging to several pension systems and insurance companies – and millions of their users.
PBI + Berwyn Group – a population management provider – was hit in May, through a (then) zero-day vulnerability in the popular managed file transfer solution. The database(s) connected to the vulnerable systems contained data of many organizations, including CalPERS, CalSTRS, Genworth Financial, and Wilton Reassurance.
PBI notified its clients and implemented measures to minimize any potential harm, and the affected organizations have started sharing what the breach means for its users.
The fallout from the PBI Research MOVEit compromise
CalPERS – the California Public Employees’ Retirement System, which is also the largest pension system in the US – says that personal information of approximately 769,000 members has been compromised. All of them will receive notification letters regarding the impacted personal information and will be provided with free access to credit monitoring for a period of two years.
“PBI provides services to CalPERS to identify member deaths. These services ensure that proper payments are made to retirees and beneficiaries and prevent instances of overpayments or other errors,” CalPERS noted.
CalSTRS, the California State Teachers’ Retirement System, is yet to identify whether any members have been affected by the incident, but it assured clients that threat actors did not access CalSTRS’ network.
On June 7, BPI alerted Wilton Reassurance – an insurance provider – about the incident in MOVEit Transfer.
According to the data breach notification Wilton Reassurance sent to the Office of the Maine Attorney General, the breach affected 1,482,490 of its customers, and the compromised information included their names and social security numbers.
The same incident also impacted policy holders and agents of life insurance company Genworth.
“PBI Research Services, or PBI, is a third-party vendor that Genworth uses to satisfy regulatory obligations to scan social security data to determine whether a customer may have passed and triggered death benefits under a life insurance policy or annuity contract. We also partner with PBI to identify deaths across our other lines of insurance and insurance agents to whom we pay commissions,” the company explained.
“The event included personal information for approximately ~2.5-2.7 million individuals who are either customers or insurance agents. The personal information accessed included life insurance, individual long-term care insurance, and annuity customers. We are working to understand what personal information related to our group long-term care products may have been affected. For policyholders, the exposed information includes: social security number, name, date of birth, zip code, state of residence, and policy number. For agents, the exposed information includes the agent ID, name, date of birth, and full address.”