Cyber Incident Victim: RiverSource Life Insurance

A data breach impacting RiverSource Life Insurance policyholders, agents, and beneficiaries was disclosed by the Delaware Department of Insurance. The incident was part of a larger cybersecurity event involving the MOVEit file transfer services system, which was used by third-party vendors serving multiple insurers. The breach was publicly reported on by the Delaware Department of Insurance in a consumer alert issued on June 26, 2023, and was subsequently updated on July 24, 2023, as additional data breach reports from insurers were received. The initial compromise of the MOVEit system is understood to have occurred on or around May 29, 2023.

The incident involved the unauthorized access and acquisition of personal data belonging to more than 37,500 individuals within the state of Delaware who were associated with RiverSource Life Insurance and other listed companies. The data was compromised due to a vulnerability in the MOVEit file transfer system exploited by attackers. This system was utilized by third-party vendors that provided services to RiverSource Life Insurance, indicating the breach occurred within a vendor's environment rather than the insurer's own direct systems. The specific nature of the personal data exposed was not detailed in the public alert, but such breaches typically involve sensitive information used in insurance operations.

In response to the event, the provisions of Delaware’s Insurance Data Security Act were triggered. This law, passed in 2019 and based on the National Association of Insurance Commissioners’ model law, mandates specific protocols for insurance companies and their vendors following a cybersecurity event. The mandated requirements include a thorough investigation of the cybersecurity event and the correction of any compromised information systems. Affected entities are also required to provide detailed reporting of the incident to the Delaware Insurance Commissioner.

Furthermore, the Act requires that consumers whose data was compromised be notified within 60 days of the discovery of the event, unless federal law or a request from law enforcement agencies necessitates a modified timeline. As part of the consumer notification and remediation effort, the affected individuals must be provided with credit monitoring services at no cost for a minimum period of one year. The notifications also include information and guidance for consumers on how to freeze their credit with the major credit bureaus to help prevent identity theft and fraud.

Insurance Commissioner Trinidad Navarro publicly addressed the breach, emphasizing the seriousness with which the department viewed the incident. He encouraged all affected consumers to utilize the offered identity and credit protection services. Commissioner Navarro also confirmed that the department's Market Conduct staff would be investigating the situation, likely in coordination with investigators from other states. The focus of this investigation would be to assess whether appropriate safeguards for handling consumer data were in place at the time of the breach, as required by law. The department retains the authority to investigate violations of the Insurance Data Security Act and to levy penalties accordingly if any failures in compliance are discovered.

The breach's impact was not isolated to Delaware; it was part of a widespread global exploitation of the MOVEit software vulnerability that affected countless organizations. The response, therefore, involved a coordinated effort across multiple jurisdictions. The requirement for insurers to provide credit monitoring for a full year to affected individuals represents a significant remedial action aimed at mitigating potential long-term financial harm to those whose information was exposed. The public disclosure by the Delaware Department of Insurance served to inform potentially impacted residents to be vigilant and to watch for official contact from the insurers regarding the specific details of the breach and the services being offered to them.