2.5 Million Customers and Agents of Largest US Public Pension Firm Affected
The number of victims affected by a campaign that targeted a zero-day vulnerability in Progress Software’s MOVEit file-transfer product to steal data continues to grow.
America’s largest pension fund, Genworth Financial, reported that approximately 2.5 million to 2.7 million of its customers and agents appear to have been affected after attackers hit its third-party service provider PBI Research Services. PBI uses MOVEit, and the software contained a zero-day vulnerability that a Russian-language ransomware group appears to have exploited to steal data from hundreds of victims, affecting millions of individuals.
Based in Richmond, Virginia, Genworth sells life insurance, long-term care insurance, mortgage insurance and annuities.
The attack against PBI’s MOVEit software enabled attackers to steal personal data for customers and insurance agents, including Social Security numbers, Genworth reported in an 8-K filing to the Securities and Exchange Commission on Thursday.
PBI, based in Minneapolis, helps insurers comply with regulatory rules requiring them to identify when customers die, to trigger and deliver death benefits. Genworth said it also uses PBI to identify beneficiaries, as well as any agents who have passed away, as part of its reporting process for commissions.
On Thursday, the California Public Employees’ Retirement System, which serves more than 2 million active members, disclosed that nearly 770,000 of its members also had been affected due to the attack against PBI. CalPERS said PBI notified it about the breach on June 6, saying personal information including names, birthdates and Social Security numbers had been stolen. CalPERS has started notifying victims.
Genworth received its breach alert from PBI on June 16, after which the two organizations jointly launched an investigation to identify precisely what data the attacker had exfiltrated. The probe is ongoing.
The pension fund has promised to alert victims as well as federal and state regulators as soon as possible. “Impacted individuals will be offered credit monitoring and identity theft protection services,” the company’s data breach FAQ says.
So far, the probe has found that the following data pertaining to a “significant portion” of its life insurance and annuity customers was stolen: Social Security Number, name, birthdate, ZIP code, state of residence and policy number. “We are working to understand what personal information related to our group long-term care products may have been affected,” Genworth said.
For agents who sell Genworth products, exposed information includes the agent’s ID number, name, birthdate and full address.
Genworth said it is does not use Progress Software’s MOVEit file transfer software or Fortra’s GoAnywhere file transfer software. The Clop ransomware group has claimed credit for large-scale attacks that targeted different zero-day vulnerabilities in both file transfer products. While Clop has regularly wielded crypto-locking malware, both of its file transfer software supply-chain attacks appear to have only involved data exfiltration.
The GoAnywhere attacks appear to have begun on Jan. 25, after which Fortra released a patch for the exploited vulnerability on Feb. 7. Clop claimed to have hit at least 130 organizations in the attacks. Victims have since filed multiple proposed class action lawsuits in federal court against Fortra.
The majority of MOVEit attacks appear to have begun around May 27-28, likely timed to take advantage of the long Memorial Day holiday weekend in the United States. During the attacks, security experts suspect, Clop stole data from hundreds of organizations. Victims that have been named by Clop or have issued data breach notifications include the BBC, Boots, British Airways, Shell, the U.S. Department of Energy and Louisiana’s Office of Motor Vehicles.
PBI believes its MOVEit software was hit by attackers from May 29 to May 30. The company said it had implemented software updates issued by Progress Software on June 2 to patch the exploited vulnerability. Since then, Progress has issued updates to fix two more zero-day vulnerabilities found in the software.
Clop continues to list on its dedicated data leak site victims who fail to pay it a ransom. While multiple government agencies have said they fell victim, Clop has refrained from posting their data and appears to be claiming to not have stolen data from them in the first place.
Earlier this week, some Louisiana residents affected by the OMV data breach filed a proposed class action lawsuit in federal court, accusing Progress Software of failing to maintain sufficient security or monitoring controls.