Cyber Incident Victim: American National Group, LLC
Date:
May 2023
Location:
United States of America
Summary
A cybersecurity incident at American National Insurance occurred due to a previously unknown vulnerability in the third-party MOVEit Transfer application. An unauthorized party gained access to its MOVEit systems and acquired files containing customer personal information. The compromised data included names, Social Security numbers, dates of birth, addresses, and medical treatment information. The company took the application offline, launched an investigation, and notified law enforcement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 31, 2023, Progress Software Corporation announced a previously unknown vulnerability affecting its MOVEit Transfer application. This widespread vulnerability impacted numerous organizations globally, including American National Group, LLC (“American National”), due to the software's common use for various business purposes. The public announcement followed the discovery that an unauthorized third-party had gained access to certain American National MOVEit systems three days prior, on May 28, 2023. On that date, the attacker successfully acquired files containing personal information belonging to American National's customers.
In immediate response to the public disclosure of the vulnerability, American National took the affected MOVEit application offline. The company launched an investigation into the incident and engaged third-party advisors and incident response professionals to assist. The firm's incident response plan was activated to coordinate these efforts. The subsequent investigation confirmed the unauthorized access and data acquisition that had occurred on May 28th.
The compromised files contained sensitive personal information of American National customers. The company reviewed the impacted data and determined the exposed information included names, social security numbers, dates of birth, and addresses. For a subset of individuals, the compromised data was more extensive, also containing medical treatment information, including dates of service and healthcare provider information. The incident was part of a broader global attack exploiting the MOVEit vulnerability, primarily attributed to the Clop ransomware group, which had listed American National's name on a website outside the public internet by July 7, 2023.
As a protective measure for affected individuals, American National offered a complimentary two-year membership to Experian’s IdentityWorks Credit 3B. This service was designed to help detect possible misuse of personal information and provide identity protection support focused on the immediate identification and resolution of identity theft. The enrollment was free, would not affect credit scores, and individuals were instructed to activate the service by November 30, 2023. The product features included credit monitoring across all three major bureaus, internet surveillance scanning the dark web for personal information, identity restoration support, and $1 million in identity theft insurance.
The company's response also included applying all available software updates to the MOVEit application as they were released by the vendor. American National implemented additional, unspecified measures to enhance the security of the application to prevent a recurrence. The company formally notified law enforcement agencies and was cooperating with their investigation into the breach. A dedicated call center was established to answer customer questions regarding the incident, operating extended hours on weekdays and weekends.
The incident was part of a much larger wave of attacks, with the number of affected organizations surpassing 250. The data breach impacted a significant number of individuals, with one estimate placing the total number of people exposed globally at least 17.7 million. American National's communication to affected customers included detailed guidance on additional steps they could take independently. This guidance advised individuals to remain vigilant by reviewing account statements and monitoring credit reports. It provided instructions on how to obtain free annual credit reports from Equifax, Experian, and TransUnion.
The notice also explained the process for placing a security freeze, also known as a credit freeze, on credit files with all three nationwide credit reporting agencies. This action, guaranteed by federal law and free of charge, restricts access to credit reports, making it harder for identity thieves to open new accounts. The company detailed the specific information required to request a freeze, including full name, Social Security number, date of birth, address history, and copies of government-issued identification and a recent utility or financial statement.
Furthermore, information was provided on placing fraud alerts, which instruct businesses to verify identity before opening new accounts. An initial fraud alert remains on a credit report for one year and is free to place. The notice instructed individuals to contact the Federal Trade Commission and their state Attorney General's office if they believed they were a victim of identity theft or that their personal information had been misused. Contact information for specific state attorneys general was included for residents of Connecticut, the District of Columbia, Maryland, New York, North Carolina, Rhode Island, Washington, and West Virginia. The notice also affirmed the right of individuals to obtain a police report regarding the incident, with specific guidance provided for residents of Iowa, Massachusetts, Oregon, and Rhode Island.