New York Life data exposed in third-party breach


New York Life Insurance Company (NYLIC), one of the world’s largest corporations, was exposed to the MOVEit Transfer attacks via third-party vendor Pension Benefit Information (PBI).

PBI started contacting individuals over a breach exposing NYLIC-related data. The PBI-related breach is the latest in a series of third-party leakages associated with the company via the MOVEit Transfer attacks.

The Prudential Insurance Company of America, Wilton Re, a US-based insurer, California Public Employees’ Retirement System (CalPERS), and several others were exposed to the attack via the MOVEit Transfer service that PBI used.

According to PBI’s letter to the Maine Attorney General, the attack exposed 25,685 NYLIC-related individuals. The breach notification indicates that threat actors accessed individuals’ Social Security numbers (SSNs).

Losing SSNs poses significant risks, as impersonators can use stolen data in tandem with names and driver’s license numbers for identity theft.

So far, around 670 organizations and 46 million people have been confirmed to be impacted by Cl0p’s MOVEit Transfer attacks.

For example, EY said that over 30,000 Bank of America customers were exposed via the MOVEit Transfer attacks, with threat actors accessing financial account information and credit card numbers.

Cl0p exploited a now-patched zero-day vulnerability in the MOVEit Transfer software, allowing cybercrooks to access and download the data stored there.