Cyber Incident Victim: PBI Research
Date:
May 2023
Location:
United States of America
Summary
PBI Research Services suffered a data breach via the exploitation of a zero-day vulnerability in its MOVEit Transfer application by the Clop ransomware gang. The incident resulted in the data of millions of individuals being stolen from PBI's clients, including Genworth Financial, Wilton Reassurance, and CalPERS. Exposed information included highly sensitive personal details such as names, dates of birth, and Social Security numbers. PBI promptly patched the software and engaged cybersecurity specialists and law enforcement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 27, 2023, the Clop ransomware gang began exploiting a zero-day vulnerability in the MOVEit Transfer file transfer application. This widespread campaign targeted hundreds of organizations utilizing the software. PBI Research Services (PBI), which used the MOVEit application with a number of its clients, was among the organizations impacted by this exploitation. The threat actors gained access to the MOVEit administrative portal at PBI, exploiting the specific vulnerability identified by Progress Software. The cyber criminals did not gain access to PBI’s other internal systems; the compromise was confined to the MOVEit application subject to the vulnerability.
Upon learning of the vulnerability from Progress Software at the end of May, PBI promptly patched its instance of the MOVEit software. The company then assembled a dedicated team of cybersecurity and privacy specialists to manage the incident response. PBI also notified federal law enforcement agencies of the breach. The primary subsequent action involved PBI contacting all of its clients that were potentially impacted by the security event within its MOVEit system to inform them of the situation and begin an investigation.
The first client to publicly disclose an impact was Genworth Financial, a Virginia-based life insurance services provider. PBI informed Genworth of the security breach on June 16, 2023. Following an investigation, Genworth verified that sensitive personal data belonging to its customers had been stolen from PBI's systems. The company estimated the breach impacted between 2.5 and 2.7 million individuals, who were either its customers holding insurance, annuity, or long-term care policies, or individuals working for the company as insurance agents. The data exposed in this theft included full name, date of birth, Social Security number, zip code, state of residence, policy number, and, for agents, their Agent ID. Genworth stated the attack did not impact its own internal systems and network or affect its business operations, as it did not use the MOVEit or GoAnywhere products itself. The company planned to send data breach notification letters to affected individuals in the coming weeks, which would contain instructions for enrolling in free credit monitoring and identity theft protection services.
The second firm impacted was Wilton Reassurance, a New York-based insurance provider. It reported that the personal data of 1,482,490 of its customers was stolen in the breach. As filed in a report with the Office of the Maine Attorney General, the stolen information included customer names and Social Security numbers. Although a sample notification letter was not yet uploaded to the state portal at the time of reporting, Wilton Reassurance committed to providing impacted individuals with 12 months of free identity theft protection and credit monitoring services, which would be offered through the firm Kroll.
The third entity to report an impact was the California Public Employees’ Retirement System (CalPERS), the largest public pension fund in the United States. CalPERS announced that approximately 769,000 of its retired members and beneficiaries were impacted by the security incident at PBI. The agency stated it responded immediately after learning about the breach from PBI. Its actions included taking steps to secure its members' benefits and data by strengthening its data management protocols that pertained to working with external contractors. All impacted members were to receive individual notification letters containing detailed information on how to access two years of free credit monitoring service provided through Experian.
The collective impact from these three disclosed clients alone amounted to the confirmed exposure of sensitive personal data for approximately 4.75 million individuals. This number was subject to potential increase as other clients of PBI Research Services might make further disclosures. The Clop ransomware gang, which claimed responsibility for the overarching attack campaign, utilized its data leak site to slowly list victim organizations and extort them by threatening to release stolen data. As of June 23, 2023, PBI Research Services itself had not been listed on Clop's data leak site. This absence could have indicated ongoing negotiations between PBI and the threat actors, or it could have meant that Clop had simply not yet begun to extort the organization directly. A PBI spokesperson confirmed the company was working directly with each impacted client to identify affected consumers and develop appropriate data breach notification plans.