Cyber Incident Victim: Jackson National Life Insurance Company
Date:
May 2023
Location:
United States of America
Summary
Jackson National Life Insurance Company experienced a data breach due to a third-party software vulnerability in the MOVEit Transfer application exploited by an unauthorized actor. The incident impacted a vendor, Pension Benefit Information (PBI), compromising the personally identifiable information of approximately 700,000 to 800,000 customers. A separate, more limited unauthorized access event also occurred on two of the company's own servers, though business operations were uninterrupted and financial results were unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 28, 2023, a cybersecurity incident was identified involving a zero-day vulnerability in the MOVEit Transfer application, a software product from Progress Software Corporation. This vulnerability, which was previously unknown, allowed malicious actors to gain unauthorized access to sensitive files and information. The exploitation of this flaw led to a widespread cybersecurity event impacting numerous organizations and governmental agencies globally. Jackson National Life Insurance Company was among the many entities affected by this third-party software vulnerability.

The incident impacted Jackson through its third-party vendors. Jackson uses Pension Benefits Information, LLC (PBI) to perform regulatory compliance and operational support services, specifically to satisfy obligations to search various databases to determine the death of certain life insurance policyholders or annuity contract holders. This service aids in identifying possible beneficiaries for death benefits. PBI utilized the MOVEit application to support these secure file transfers. NTT DATA, the parent company of Jackson's third-party administrator Transactions Applications Group (TAG), advised that between May 29 and May 30, 2023, an unauthorized third party exploited the vulnerability in PBI's MOVEit application and may have acquired some Jackson policyholder information.
Jackson learned of the incident on June 30, 2023, and a subsequent review of the data provided by NTT DATA confirmed that the unauthorized third party had in fact acquired information related to Jackson policyholders. The types of information involved included first and last name, gender, Social Security number, date of birth, city, state and zip code, and policy number. The incident occurred entirely within PBI’s systems, and Jackson had no reason to believe its own systems or network environment were impacted. Jackson also stated it was one of many companies affected and that its policyholder data was not specifically targeted. The current assessment indicated that personally identifiable information relating to approximately 700,000 to 800,000 of Jackson’s customers was obtained from PBI’s systems.
Separately, Jackson itself experienced unauthorized access to two of its own servers as a direct result of the same MOVEit zero-day vulnerability. The scope and nature of the data accessed on these Jackson servers was assessed to be significantly less than the impact from the PBI breach. The unauthorized actor did not gain access to any other Jackson systems or software, and there was no interruption to Jackson’s business operations. A preliminary assessment indicated that a subset of information relating to certain partner organizations and individuals, including certain Jackson customers, was obtained from the two affected servers.
In response to the incident involving its own servers, Jackson, with the assistance of third-party cybersecurity specialists, promptly launched an investigation into the unauthorized access. The company secured its affected servers and patched the identified MOVEit vulnerability. A forensic analysis was conducted to understand the full scope of the intrusion. PBI also completed the recommended patching and remediation steps to secure its systems and informed law enforcement of the incident.
Jackson notified law enforcement authorities and its primary insurance regulators about both aspects of the incident. The company committed to keeping these authorities informed as the investigation progressed. Jackson also engaged outside experts to help remediate the situation and ensure the ongoing security of its policyholder information. Relevant state regulators and federal law enforcement authorities were notified regarding the incident.
To help protect affected individuals, Jackson secured the services of Kroll to provide complimentary identity monitoring services for a period of two years. These services included credit monitoring, a current credit report, web watcher, public persona, quick cash scan, $1 million identity fraud loss reimbursement, fraud consultation, and identity theft restoration. Instructions on how to enroll in these services were provided to affected individuals via notification letters. Jackson worked diligently to identify all affected individuals and committed to ensuring that appropriate notification was provided to these individuals, as well as other regulators, as soon as reasonably possible.
The company stated it had no indication of identity theft or fraud in relation to this event at the time of the notifications. Despite the breach, Jackson did not believe the incident had a material adverse effect on the business, operations, or financial results of its parent holding company, Jackson Financial Inc. The financial and operational impact was deemed non-material, with no interruption to business services reported. The primary consequences were the potential exposure of sensitive customer data and the associated costs of response and mitigation, including the offering of credit monitoring services. The incident highlighted the risks associated with third-party software dependencies and supply chain vulnerabilities, particularly when a widely used application is exploited on a global scale.
