Cyber Incident Victim: Prudential Assurance Malaysia Berhad

On or around June 13, 2023, Prudential Assurance Malaysia Berhad (PAMB) and Prudential BSN Takaful Berhad (PruBSN) publicly confirmed they were among the many companies globally affected by a cyber attack exploiting a zero-day vulnerability in the MOVEit file transfer software. The incident, described as a global MOVEit data-theft attack, involved the exploitation of this previously unknown software flaw. The companies became aware of the breach and immediately took action to isolate the affected server from their network to prevent further unauthorized access. Concurrently, an incident response team launched a thorough investigation into the scope and impact of the intrusion. The relevant Malaysian authorities were notified of the security incident as part of the initial response protocol.

The ongoing investigation determined it was very likely that personal data belonging to the companies' agents and customers was affected. The types of information potentially compromised included names, contact numbers, national identification numbers, bank account information, and partial credit card information. The inclusion of only partial credit card details was assessed to reduce the risk of unauthorized financial transactions being conducted with the stolen data. The investigation remained ongoing as of the latest update on June 27, 2023, with the companies working to confirm the full extent of the data impact as quickly as possible. The affected server was identified as part of the MOVEit software infrastructure used for file transfers.

In response to the confirmed data exposure, immediate steps were taken to notify customers who were impacted by the breach. A dedicated customer support hotline was established to provide appropriate support and answer inquiries related to the incident. The hotline operated with extended hours to increase accessibility, initially set from 8:30 am to 7:00 pm on weekdays and 8:30 am to 1:00 pm on Saturdays. This schedule was adjusted effective June 28, 2023, to weekday operations from 8:30 am to 5:15 pm while retaining the Saturday hours. A further adjustment took effect on July 1, 2023, with the hotline operating weekdays from 8:30 am to 5:15 pm and discontinuing Saturday operations. The contact numbers were 03-2771 2480 for PAMB customers and 03-2742 4060 for PruBSN customers.

Public communication was a key component of the response. The companies published a detailed announcement on their official websites, providing a joint statement on the incident, the potential data types involved, and the steps being taken. This announcement was updated as the situation developed, with the latest update timestamped June 27, 2023, at 10:30 am. The public was directed to these websites for the latest information. The companies also provided guidance to agents and customers on safeguarding themselves in the wake of the incident. This guidance recommended remaining cautious of unsolicited communications like phone calls, SMS, and emails; avoiding clicking on links or downloading attachments from suspicious messages; refraining from sharing passwords or one-time passwords (OTPs) with anyone; and regularly reviewing bank and credit card statements for any suspicious activity. Customers suspecting their credit cards were compromised were advised to contact their card issuer directly.

Throughout the incident, the companies emphasized that their core business operations remained fully functional and that there was no disruption to customer services or policy management systems. The attack was isolated to a specific server related to the MOVEit application and did not propagate to other core IT systems. The companies stated they are constantly reviewing and updating their defence systems and highlighted that they responded swiftly to this specific vulnerability in the MOVEit software once it was identified. The incident was framed as part of a broader global trend of increasing cybersecurity attacks. For media inquiries, the Corporate Communications teams at both entities remained the designated points of contact, handled via email. The incident involved a third-party software vulnerability rather than a direct breach of the companies' internal networks, and the response focused on containment, investigation, customer notification, and support.