Client data from New York Life Insurance Company (NYLIC) was repeatedly exposed, it has been found. The news comes after Andesa, a third-party vendor, announced that it had been affected by the MOVEit Transfer attacks.
NYLIC is the largest life insurance company in the US, and is among the world’s largest corporations. The company used a third-party vendor, Andesa Services, for administrating employer-owned or sponsored New York Life insurance policies.
The notice to affected clients on October 23rd stated that an unknown actor exploited a previously unknown vulnerability that affected the MOVEit transfer tool, and “obtained access to certain data from the MOVEit Transfer server,” which was used by the third-party vendor.
According to the investigation, the attacker accessed the private data between May 30th, 2023, and May 31st, 2023. Among the breached data were clients’ names and Social Security numbers. The company claimed that it is “currently unaware of any actual or attempted misuse” of the personal data.
The Office of the Maine Attorney General states that more than 30,000 people were affected by the breach. The company has offered affected individuals free credit monitoring and identity theft protection services provided by Experian.
Second third-party vendor affected by MOVEit breach
Andesa isn’t the first NYLIC service provider to be affected by the MOVEit breach. In August, Pension Benefit Information (PBI) reported the exposure of NYLIC-related data related to the transfer tool breach. According to PBI’s letter to the Maine Attorney General, the attack exposed 25,685 NYLIC-related individuals.
In total, over 2,500 organizations and over 66 million people have been confirmed to be impacted by MOVEit Transfer attacks, and new victims continue to come forward. The Russia-linked Cl0p ransomware gang has taken credit for exploiting the MOVEit zero-day bug and has been posting victims' names on their dark web leak site since June.
More from Cybernews:
Subscribe to our newsletter