The attack this year on the MOVEit file transfer system by the Cl0P ransomware gang has been especially cruel to your favorite clients.
The attack hit the conscientious people who buy life insurance to protect their loved ones; use life insurance, annuities or individual investment accounts to save for a dignified retirement; or participate in employer-sponsored retirement plans.
The Cl0P hackers got at those clients by finding and using a weakness in MOVEit, a tool from Progress Software that organizations use to move big batches of sensitive data.
MOVEit has a diverse user base, including weather researchers and the military.
Progress notes that it disclosed the vulnerability the hackers exploited May 31 and deployed a patch the same day.
Why Did the MOVEit Breach Affect So Many Insurance Companies?
MOVEit is a tool that’s as common as shoes and socks at financial services companies, partly because PBI Research Services, a dominant player in the death audit services market, uses MOVEit to help companies determine whether insurance policy owners, annuity contract owners, investment account owners and retirement plan participants are still alive.
At least 1,006 organizations have reported MOVEit-related breaches as of Aug. 28, according to KonBriefing Research. Those reports have affected more than 49 million people.
What Happens Now?
In 2021, a typical U.S. Social Security number sold for about $2, meaning that, in theory, the MOVEit hack victims’ numbers could be worth about $80 million on the resale market.
Whatever personal information was stolen may now be available for free, to people who know how to find it and use it, because Cl0p said earlier this month that it was dumping all of the records it hacked on the web, according to press reports.
Cybersecurity experts have suggested that organizations like Cl0p may try to supplement revenue from selling hacked personal data by trying to persuade affected companies to pay ransoms, to avoid having hacked data exposed.
Many financial services organizations are still trying to determine whether they were breached and how to report a breach. Most Cl0p breach size information comes from companies that happened to send reports to the Office of the Maine Attorney General, which posts a breach list that includes national impact estimates.
If organizations have reported breaches only to a state like California or Maine, national estimates of the number of people affected by those breaches may be unavailable.
Here’s a list of the MOVEit-related life, annuity, asset management, retirement services and support services organization breaches we could find, based on the breach feeds provided by Maine, California and other states, and on disclosure notices some companies filed with the U.S. Securities and Exchange Commission.
We excluded local banks, credit unions, health insurers, property and casualty insurers, and we included some organizations outside the retirement services sector, like Maximus, a major Medicare and Affordable Care Act public exchange services vendor, because of their importance to retirees’ and near retirees’ lives. We will update this list as more information becomes available.
Some companies consolidate breach reporting at the parent-company level. Others report through subsidiaries, through vendors or through a combination of two or more strategies.
As of Aug. 28, the breach reports summarized here that include national customer impact estimates show that more than 26 million people may have been affected.
The current estimates of the number of people affected could include a significant amount of double counting, with some accounts reported by several different entities, and some people owning two or more separate affected accounts. But this list also includes many entities for which national impact estimates were not readily available.
American National Group
Date reported: Aug. 9
Number of people or accounts who could be at risk: Not available
Identity protection service offered: Experian IdentityWorks
Athene Annuity and Life Co. and its affiliates
Date reported: July 20
Number of people or accounts who could be at risk: 70,412
Identity protection service offered: Kroll
Aurora National Life Assurance Co. (Reinsurance Group of America)
Date reported: July 21
Number of people or accounts who could be at risk: 48,457
Identity protection service offered: Norton LifeLock’s LifeLock Defender
California State Teachers’ Retirement System
Date reported: March 24
Number of people or accounts who could be at risk: NA
Identity protection service offered: Experian IdentityWorks
CalPERS
Date reported: June 22
Number of people or accounts who could be at risk: 769,000
Identity protection service offered: Experian IdentityWorks
Charles Schwab & Co.
Date reported: June 9
Number of people or accounts who could be at risk: NA
Identity protection service offered: TransUnion IdentityForce
Clear Spring Life and Annuity Company (Group 1001)
Date reported: July 27
Number of people or accounts who could be at risk: 4,393
Identity protection service offered: IDX
Club Vita US
Date reported: Aug. 10
Number of people or accounts who could be at risk: 4,821
Identity protection service offered: Kroll
Continental General Insurance
Date reported: Aug. 28
Number of people or accounts who could be at risk: 38,886
Identity protection service offered: Kroll
EP Global Production Solutions
Date reported: Aug. 11
Number of people or accounts who could be at risk: 471,362
Identity protection service offered: Kroll
Ernst & Young
Date reported: Aug. 9
Number of people or accounts who could be at risk: 30,210
Identity protection service offered: Experian
Fidelity & Guaranty Life Insurance Co.
Date reported: July 20
Number of people or accounts who could be at risk: 873,000
Identity protection service offered: Kroll
Fidelity Investments
Date reported: July 12
Number of people or accounts who could be at risk: 371,359
Identity protection service offered: Kroll
Fidelity Life Association
Date reported: Aug. 9
Number of people or accounts who could be at risk: 250,000
Identity protection service offered: Kroll
Genworth
Date reported: July 27
Number of people or accounts who could be at risk: 2,500,000
Identity protection service offered: Kroll
Group 1001 Resources
Date reported: July 28
Number of people or accounts who could be at risk: 3,169
Identity protection service offered: IDX
Hartford Life and Accident Insurance Co.
Date reported: Aug. 3
Number of people or accounts who could be at risk: 713,264
Identity protection service offered: Kroll
Jackson National
Date reported: June 20
Number of people or accounts who could be at risk: 850,000
Identity protection service offered: Kroll
Lumico Life Insurance Co., Elips Life Insurance Co.
Date reported: Aug. 1
Number of people or accounts who could be at risk: Not available
Identity protection service offered: Kroll
Massachusetts Mutual Life Co.
Date reported: July 19
Number of people or accounts who could be at risk: 242
Identity protection service offered: Kroll
Maximus
Date reported: July 28
Number of people or accounts who could be at risk: 8,000,000
Identity protection service offered: Experian IdentityWorks
Milliman Solutions
Date reported: July 17
Number of people or accounts who could be at risk: 1,280,823
Identity protection service offered: Kroll
MOVEit file transfer software from Progress
Date reported: Aug. 9
Number of people or accounts who could be at risk: 4,457
Identity protection service offered: Experian IdentityWorks