PBI notifies Prudential of MOVEit breach

Pension Benefit Information (PBI), a third party contractor of prestigious firms like the Prudential Insurance Company of America, has joined the ever-growing list of victims of the third-party MOVEit hack. But some good news for the insurer at least, which appears to have escaped the worst.

In a letter to affected customers, PBI says it became aware of the data breach around the end of May, when MOVEit transfer software firm notified it.

Victims of the breach now run the risk of their names, addresses, telephone and Social Security numbers being used by criminals to commit other types of online crime including fraud and identity theft.

In a separate disclosure made to the Attorney General’s Office in Maine, which imposes strict reporting requirements on firms suffering data breaches that concern its residents, PBI said 320,840 people had been affected.

Like so many other companies, including Maximus, Deloitte, the Annuity Services of America, it used the MOVEit Transfer software and has been impacted by cyber gang Cl0p’s notorious attack on that company.

PBI says it launched an investigation into “the nature and scope of the impact on our systems” to confirm that an intruder had indeed accessed one of its MOVEit Transfer servers on May 29-30th and downloaded data. However, Prudential itself appears to have escaped being directly affected.

“We then conducted a manual review of our records to confirm the identities of individuals potentially affected by this event and their contact information to provide notifications,” it added. “We recently completed this review and shared the findings with our impacted customers. Prudential's information systems and operations were not impacted.”

PBI has offered victims two years of free identity theft and credit monitoring services, along with fraud consultation and identity theft restoration.

NB: This article was amended on August 16th. The previous version confused PBI with Prudential, which was in fact not directly affected by the MOVEit breach. This error has since been amended.