Breach of death auditor PBI exposes details of 370,000 people


Pension Benefit Information (PBI), a US-based population management solutions provider, discovered another MOVEit Transfer related breach that exposed its users. The total number of exposed users exceeds 2.5 million.

The company started distributing breach notification letters to users whose data was exposed. According to PBI, attackers exploited the MOVEit Transfer zero-day bug to steal the company’s data.

“The investigation determined that a threat actor exploited a zero-day vulnerability, accessed one of PBI’s MOVEit Transfer servers on May 29th, 2023, and May 30th, 2023, and exfiltrated certain data from that MOVEit Transfer server during that time,” PBI’s letter said.

ADVERTISEMENT

An investigation revealed that attackers could have accessed names, partial mailing addresses, Social Security numbers, and dates of birth. According to the information that PBI provided to the Maine Attorney General, the breach exposed over 370,000 individuals.

MOVEit Transfer is a managed file transfer software. The now-patched zero-day bug affected MOVEit Transfer’s servers, allowing attackers to access and download the data stored there.

PBI’s recent breach notification letter said that the company “is providing access to credit monitoring and identity restoration services for two years” to individuals affiliated with the company’s business clients whose customers’ data was involved in the event.

PBI boasts of being the largest obituary database in the US, providing services to thousands of organizations. Pension funds, insurance companies, and other businesses use PBI’s services to determine whether individuals are eligible for benefits.

Other companies that used PBIs as a third-party vendor were impacted by the breach as well. Wilton Re, a US-based insurer, said that the MOVEit transfer exploit exposed the details of nearly 1.5 million people.

Meanwhile, CalPERS, the largest public pension fund in the US, said that “anyone who was receiving an ongoing monthly benefit payment as of this spring” could have had their name, date of birth, and Social Security Number (SSN) exposed in the breach. The number of exposed CalPERS users is estimated to be 769,000.

Who is Cl0p, and what’s the MOVEit zero-day?

Russia-linked Cl0p ransomware cartel has taken credit for the exploit. So far, over 200 organizations have fallen victim to the attack, with the estimated number of exposed people exceeding 17 million.

ADVERTISEMENT

They claim to have breached hundreds of companies in the process. Experts we’ve spoken to say that around 3,000 deployments of the MOVEit application were active when the flaw was first discovered.

Cl0p has been posting victims’ names on their dark web leak site since June 14th, including Shell Global, Telos, Deutsche Bank, Radisson, and others. The extent of the exposed data depends on how a certain company uses the file transfer system.

Cl0p operates under the Ransomware-as-a-Service (RaaS) mode, which means that it rents the software to affiliates for a pre-agreed cut of the ransom payment.

The gang employs the “double-extortion” technique of stealing and encrypting victim data, refusing to restore access, and publishing exfiltrated data into its data leak site if the ransom is not paid.