PALIC customers’ credit card data exposed via MOVEit attacks


Pan-American Life Insurance Company (PALIC) customer details have been exposed after attackers accessed its MOVEit Transfer servers, netting a trove of sensitive data on over 100K individuals.

PALIC sent breach notification letters to individuals whose data may have been exposed in the MOVEit Transfer-related data breach. The wave of attacks, one of the largest this year, resulted in scores of companies having their data stolen via a now-fixed zero-day vulnerability.

According to PALIC’s letter, the company used MOVEit Transfer to exchange files and learned about the zero-day from Progress Software, the MOVEit Trasnfer’s maker.

ADVERTISEMENT

“Our investigation revealed that an unauthorized third party used the vulnerability in MOVEit to take files that contain personal information, including yours,” reads the notification.

PALIC revealed that attackers may have accessed files containing sensitive information, including:

  • Names
  • Addresses
  • Social Security numbers
  • Dates of birth
  • Driver’s license numbers
  • Medical and medical benefits information
  • Certain biometric data
  • Financial account and credit card information

The company said it has “no evidence that the personal information has been used in any way that can cause” harm to affected individuals.

However, attackers could employ the data in a variety of malicious ways. Threat actors could use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to Medicare and other health insurers.

Meanwhile, other personally identifiable information (PII) may be used to commit fraud, from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

PALIC's parent company, the Pan-American Life Insurance Group (PALIG), operates in 22 countries across the Americas, covers over seven million people, and employs over 2,100 staff.

Earlier this year, the Cl0p ransomware cartel exploited a zero-day bug in the MOVEit Transfer software, which allowed attackers to access and download the data stored there.

ADVERTISEMENT

According to researchers at Emsisoft, over 2,600 organizations – mainly in the US – and over 83 million individuals have been impacted by MOVEit attacks by the Russia-linked ransomware cartel.

Taking IBM’s estimate, which puts the cost of an average data breach at $165 per leaked record, the impact of Cl0p attacks would add up to a staggering $13.7 billion.