Cyber Incident Victim: Corebridge Financial

On June 16, 2023, Corebridge Financial, Inc. was notified by one of its third-party vendors regarding a critical vulnerability discovered in the MOVEit file transfer application. This application was utilized by Corebridge for data transfer operations. The specific nature of the vulnerability was not detailed in the public disclosure, but it was confirmed that the flaw allowed unauthorized external actors to gain access to data stored within the company's MOVEit server. This notification initiated the company's formal incident response process. The company's own internal information systems and operational infrastructure were confirmed to be separate from the affected system and were not compromised in the incident; the unauthorized access was isolated to the data residing on the MOVEit platform.

Immediately following the notification, Corebridge Financial launched an investigation to determine the scope and impact of the security incident. The primary objective of this investigation was to ascertain whether any consumer data had been accessed or exfiltrated as a direct result of the exploited vulnerability in the MOVEit application. The forensic analysis focused on the contents of the MOVEit server to identify which specific files and datasets were accessible during the period of unauthorized access. The investigation was a necessary step to understand the full extent of the potential data exposure and to fulfill regulatory and legal obligations regarding data breach notification.

The investigation ultimately confirmed that the vulnerability had indeed been exploited, resulting in an unauthorized party gaining access to confidential consumer information. Corebridge Financial determined that the incident impacted a significant number of individuals. The compromised data was not uniform across all affected consumers but varied from person to person. The types of sensitive personal information that were accessible included individuals' full names, their Social Security numbers, and their policy numbers with Corebridge Financial. The presence of Social Security numbers was explicitly highlighted as a particularly serious element of the breach due to the high risk of identity theft and fraud associated with the exposure of this identifier.

Upon completion of its internal investigation and after identifying the affected individuals, Corebridge Financial took steps to notify regulators and the impacted consumers. On June 26, 2023, the company filed official documents with the U.S. Securities and Exchange Commission (SEC) to publicly disclose the data breach. This regulatory filing served as the first official public confirmation of the incident and provided a high-level overview of its cause and impact. The filing confirmed that the breach was a result of the MOVEit vulnerability and that it had led to the exposure of sensitive consumer data.

Concurrent with the SEC filing, Corebridge Financial began the process of directly notifying all individuals whose information was determined to be affected by the security incident. This was carried out by sending out individualized data breach notification letters via postal mail. These letters were sent to the last known addresses of the impacted consumers on record. The content of these letters informed recipients that their personal information had been compromised in the breach. The notifications specified the categories of information that were exposed for that particular individual, which could include name, Social Security number, and policy number. The letters likely also included information about the nature of the incident and general guidance on vigilance against potential identity theft, though the specific contents of the communication were not detailed in the public articles.

The incident is part of a broader wave of cyberattacks targeting the MOVEit Transfer application, a widely used enterprise file transfer tool developed by Progress Software. The vulnerability, which has been attributed to the Clop ransomware gang, was a zero-day flaw that was exploited on a massive scale to target numerous organizations worldwide. Corebridge Financial’s breach is therefore one incident within a much larger campaign. The company’s response was consistent with that of many other victims, involving investigation, disclosure, and consumer notification following the discovery of the compromise. The company’s operations and core financial systems remained functional and unaffected throughout the event, as the breach was confined to the third-party file transfer application. The financial and operational impact on Corebridge Financial itself, beyond the costs associated with the investigation and response, was not publicly quantified in the immediate aftermath of the disclosure. The primary consequence was the exposure of sensitive customer data, creating potential future risks for those individuals.