Cyber Incident Victim: Sun Life and Health Insurance Company

On or around May 31, 2023, Progress Software, the provider of MOVEit Transfer software, disclosed a vulnerability in their software that had been exploited by an unauthorized third party. This disclosure was part of a global cyberattack that affected hundreds of organizations worldwide. Pension Benefit Information, LLC (PBI), a company that provides audit and address research services for insurance companies, pension funds, and other organizations, utilized MOVEit in the regular course of its business operations to securely transfer files. Although Sun Life was not a direct user of the MOVEit software, it was impacted because it shares certain information with PBI to support business operations such as paying life insurance and related benefits in a timely manner.

PBI promptly launched an investigation into the nature and scope of the MOVEit vulnerability’s impact on its systems. Through this investigation, PBI learned that the unauthorized third party had accessed one of its MOVEit Transfer servers on May 29, 2023, and May 30, 2023, and had downloaded data. The investigation determined that the types of information present on the server at the time of the event included names, Social Security Numbers, policy and account numbers, and/or dates of birth of some Sun Life members and account holders. No financial information, such as account values, or medical claims were exposed in the breach. PBI conducted a manual review of its records to confirm the identities of individuals potentially affected by this event and their contact information to provide notifications, a process that was recently completed at the time of their notification letter.

In late June 2023, PBI advised Sun Life that one of its servers had been accessed by an unauthorized third party as part of this global attack, compromising the personal data of some U.S. Sun Life customers. Sun Life, upon being notified by its vendor, initiated its own investigation alongside PBI to confirm the scope of the member data involved. There were no indications of identity theft or fraud linked to the incident at the time of discovery or in the subsequent investigations conducted by both companies.

The incident also involved another Sun Life vendor, Ernst & Young LLP (EY) Canada. EY provides tax reporting and regulatory filings services for Sun Life International. EY notified Sun Life International about an incident relating to the same third-party MOVEit software, which it uses to support the encrypted transfer of files between the firm and its clients. Hackers unlawfully gained access to and obtained certain files on EY’s MOVEit server in Canada. Based on its investigation, EY believed an unauthorized party gained access to files that may have contained personal data, which varied by individual but could include name, address, taxpayer identification number, tax residency, place and date of birth, cash value, and account balance.

In response to the breach, PBI took immediate action upon learning of the vulnerability. The company promptly took steps to patch its servers, investigate the incident, assess the security of its systems, and notify potentially affected customers and individuals associated with those customers. PBI also began reviewing and enhancing its information security policies and procedures. Although unaware of any identity theft or fraud as a result of the event, PBI offered affected individuals access to 24 months of complimentary credit monitoring and identity restoration services through Kroll. This service included credit monitoring, fraud consultation, and identity theft restoration. Individuals were provided with a membership number and a deadline to activate these services.

Similarly, EY took steps to secure its systems immediately upon becoming aware of the issue and worked with third-party security experts to investigate the scope of the incident and assist with the response. Through TransUnion, EY arranged a 24-month subscription to a credit monitoring service at no cost to affected individuals, provided through Cyberscout, a TransUnion company specializing in fraud assistance and remediation services. The service offered access to a credit report with a credit score, credit monitoring alerts with email notifications, dark web monitoring, identity theft insurance of up to $1,000,000 in coverage, and assistance with interpreting credit reports and answering fraud-related questions. EY also set up a multi-lingual call center to receive calls from affected individuals and answer frequently asked questions related to the MOVEit incident.

Sun Life worked with PBI to confirm the member data involved and subsequently notified the affected members. The company provided any applicable free credit monitoring and identity theft restoration services to those impacted. Sun Life also encouraged its members to take personal precautions, such as monitoring their accounts and credit history for signs of unauthorized activity and changing their account passwords, even though the passwords themselves were not exposed in the breach. The company recommended that customers consider placing credit freezes or fraud alerts with credit bureaus such as Equifax, Experian, and TransUnion for an additional layer of protection against the misuse of personal information.

The broader impacts of the incident were confined to the unauthorized access and exfiltration of personal identifiable information. No Sun Life systems, networks, or direct business operations were affected, as the company was not a MOVEit customer. The compromise was solely through its vendors, PBI and EY, who used the vulnerable software. The consequences involved the potential exposure of sensitive customer data, necessitating widespread consumer notifications and the offering of protective services to mitigate the risk of future identity theft or fraud. The response actions were focused on containment through patching, investigation to determine the scope, consumer notification, and the provision of monitoring services to affected individuals.