Cyber Incident Victim: The Hartford

On or around May 29, 2023, an unauthorized third party exploited a vulnerability in the MOVEit Transfer software, a secure file transfer application developed by Progress Software. This exploitation constituted a global cyberattack targeting numerous organizations that utilized the software. The attackers accessed and downloaded data from the MOVEit Transfer servers of Pension Benefit Information, LLC (PBI), a vendor providing audit and address research services for insurance companies and pension funds. The unauthorized access occurred on May 29 and May 30, 2023. PBI utilized the MOVEit software in the regular course of its business operations to securely transfer files with its clients. The breach of PBI's systems was a component of a larger security event that ultimately impacted over 280 organizations globally, including many universities and corporations.

The Hartford, an insurance company, was notified of this security incident due to its business relationship with PBI. The Hartford itself did not use the vulnerable MOVEit Transfer software, and its internal systems were not exposed to or compromised by the MOVEit vulnerability. The company was impacted because PBI was a vendor used by The Hartford’s Group Benefits business. PBI acted as a claims vendor, and The Hartford had shared Group Benefits customer data with PBI as part of their service agreement. The data accessed by the attackers was the information that had been transferred to and was residing on PBI's compromised MOVEit server at the time of the intrusion.

The investigation into the event determined that the types of personal information accessed for impacted individuals included name, date of birth, Social Security number, and resident state and zip code. According to The Hartford, the data accessed did not include personal health information or medical data. The majority of the information sent to PBI related to active and approved claimants. The Hartford clarified that it does not send personal health data or census or eligibility files received from employers to PBI. The scope of the incident for The Hartford was confined to its Group Benefits customer data that was in PBI's possession.

Upon becoming aware of the vulnerability disclosure by Progress Software at the end of May, PBI promptly launched an investigation to determine the nature and scope of the impact on its systems. The company took steps to patch its MOVEit servers to remediate the software vulnerability. The Hartford immediately took action to confirm that PBI had successfully remediated the vulnerability and that PBI's systems were no longer compromised. The Hartford worked with its affected customers, such as Forrester Research, Inc., to provide notification of the breach. PBI conducted a manual review of its records to confirm the identities of individuals potentially affected by the event and to obtain their contact information for providing direct notifications. This review process was completed in late July 2023.

Formal notifications to impacted individuals began in late July. These notifications were sent by PBI and by The Hartford's affected customers, such as Forrester. The notifications detailed the nature of the event, the types of personal information involved, and the response actions taken. As a remedial measure, PBI offered impacted individuals access to 24 months of complimentary credit monitoring and identity restoration services provided by Kroll, a risk mitigation firm. These services included credit monitoring, fraud consultation, and identity theft restoration. Instructions for activating these services were enclosed with the notification letters, and individuals were given a deadline to enroll.

The cyberattack had a significant secondary impact on organizations that relied on vendors using MOVEit software. The Colorado State University System was notified by several of its vendors, including TIAA, National Student Clearinghouse, Corebridge Financial, Genworth Financial, Sunlife, and The Hartford, that they had been impacted by the global MOVEit attack. The data breach was reported to potentially involve information for some current and former employees and students dating back to at least 2021. The university system emphasized that its own internally operated and maintained systems were not breached. It established a dedicated webpage to provide updated information to its community and to help them mitigate personal risk. The incident served as a reminder of the cybersecurity risks associated with third-party vendors and the importance of robust vendor security assessments. The overall event was characterized by its scale, impacting a wide array of sectors through a single point of failure in a commonly used commercial software product.