Cyber Incident Victim: United Bankshares, Inc.

On June 16, 2023, Corebridge Financial, Inc. was notified by one of its third-party vendors of a critical vulnerability within the MOVEit file transfer application utilized by the company. This notification served as the initial point of discovery for a significant data security incident. The vulnerability inherent in the MOVEit software provided a vector for unauthorized external parties to gain access to data stored on Corebridge’s MOVEit server. Following this notification, Corebridge Financial promptly initiated an internal investigation to ascertain the full scope and impact of the incident. The primary objective of this investigation was to determine whether any consumer data had been compromised as a direct result of the exploited vulnerability in the third-party file transfer tool.

The investigation conducted by Corebridge Financial confirmed that the vulnerability had indeed been exploited, leading to an unauthorized party accessing the company’s MOVEit server. The access was limited exclusively to information housed within that specific server; the company’s broader information systems, internal networks, and operational infrastructure were not penetrated or otherwise impacted by this event. The security compromise was confined to the data residing on the MOVEit platform at the time the vulnerability was actively exploited. The forensic review focused on identifying which specific files and datasets were accessed or exfiltrated by the unauthorized actor during the period of unauthorized access.

Upon completing its analysis of the compromised server, Corebridge Financial determined that a substantial amount of sensitive consumer information had been exposed. The breached data was not uniform for all affected individuals but varied depending on the specific files accessed. The compromised information included personally identifiable information, specifically the full names and Social Security numbers of consumers. Furthermore, the unauthorized party also gained access to confidential policy numbers linked to the financial products and services held by Corebridge. The company characterized the number of Social Security numbers leaked as "a significant number," indicating the substantial scale of the incident.

Corebridge Financial, Inc. is a major financial services corporation headquartered in Houston, Texas. The company and its various subsidiaries specialize in providing a comprehensive suite of life insurance products, retirement planning solutions, and ancillary financial services to both individual consumers and businesses. Its operations are focused on helping clients protect assets, manage financial risks, and prepare for retirement. With a workforce exceeding 8,000 employees and generating annual revenue of approximately $26 billion, the compromise of its consumer data impacted a large client base.

In compliance with regulatory obligations, Corebridge Financial filed an official disclosure with the U.S. Securities and Exchange Commission on June 26, 2023. This filing formally announced the data breach and provided a summary of the company's findings regarding the cause and extent of the incident. The public disclosure confirmed that the breach was a direct result of the vulnerability in the Progress Software MOVEit application and outlined the types of consumer information that were accessible to the unauthorized party. This step represented the company's official public acknowledgment of the security event.

Also on June 26, 2023, Corebridge Financial began the process of directly notifying individuals whose personal information was confirmed to be affected by the breach. The company executed this duty by sending out individualized data breach notification letters via postal mail to all impacted consumers. These letters served to inform recipients that their specific data was involved in the incident and detailed the precise categories of information that had been exposed. The notification process was a critical component of the company's response, aiming to provide transparency to those whose privacy was potentially compromised.

The incident did not disrupt the normal business operations of Corebridge Financial. Since the breach was isolated to the MOVEit server and did not involve a wider network intrusion or system outage, the company was able to continue its insurance and financial services activities without interruption. The response efforts were focused on investigative analysis, regulatory compliance, and consumer notification rather than on containing an ongoing attack or restoring crippled systems. The operational impact was therefore confined to the reputational and financial costs associated with the data leak and the subsequent response measures.

The primary consequence of the incident was the exposure of highly sensitive personal data, which inherently elevates the risk of identity theft and financial fraud for the affected individuals. The combination of names, Social Security numbers, and policy numbers provides a potent set of information that could be misused for fraudulent activities. The company’s disclosure did not specify the exact number of individuals impacted but emphasized the significant volume of Social Security numbers involved. The long-term impact on consumers revolves around the potential for their information to be exploited maliciously, necessitating vigilance and monitoring of their financial accounts and credit reports.

Corebridge Financial’s response was characterized by a sequence of investigation, confirmation, and notification. The company relied on its third-party vendor for the initial alert regarding the MOVEit vulnerability, which triggered its internal investigation. This investigation successfully identified the scope of accessed data and the affected population. The company then fulfilled its legal duties by filing with the SEC and dispatching direct mail notifications to consumers within ten days of confirming the breach's details. The response did not involve publicly offering credit monitoring or identity protection services as part of the initial notification, as such details were not mentioned in the public disclosure. The breach was attributed solely to a vulnerability in a third-party software product and not to any alleged failure of Corebridge’s internal security protocols.