On Thursday, the scope of the MOVEit hack expanded significantly as the number of victims grew by several million.
Calpers, the largest U.S. pension fund, and insurer Genworth Financial disclosed that the personal information of their members and customers had been compromised.
Both organizations revealed that a third-party vendor, PBI Research Services, had been affected by a data theft hack, which subsequently allowed the hackers to access data from Calpers and Genworth. However, PBI Research Services could not be reached for comment.
Calpers received notification from PBI on June 6, 2023, regarding a “vulnerability” in their MOVEit Transfer software that enabled hackers to download “our data.” Unfortunately, the exact number of impacted individuals was not specified, but news reports indicated that information from over 700,000 Calpers members and retirees had been taken. The MOVEit software is widely utilized by various organizations worldwide for sharing sensitive data.
Genworth Financial experienced a more substantial impact, with personal information from nearly 2.5 million to 2.7 million of its customers being breached.
Genworth stated, “The personal information of a significant number of insurance policyholders or other customers of its life insurance businesses was unlawfully accessed.”
Since the security flaw in Progress Software’s MOVEit Transfer product was discovered last month, numerous victims have emerged, ranging from U.S. government departments to the UK’s telecom regulator Ofcom and energy giant Shell.
Genworth confirmed that it is actively working to provide “protection services” for the affected individuals, as stated in a regulatory filing.
The data taken from Calpers included members’ first and last names, date of birth, and social security numbers. Calpers serves a retirement system with over 2 million members.
The MOVEit hack has impacted multiple state and federal agencies. Recently, the U.S. Department of Energy received ransom requests from the Russia-linked extortion group Cl0p for its nuclear waste facility and scientific education facility, both of which were recently targeted in a global hacking campaign.
The compromised data at these two DOE entities resulted from hackers exploiting a security flaw in MOVEit Transfer.
The wide-ranging consequences of this hack underscore the challenges faced by even the most security-conscious federal agencies in defending against ransomware attacks. Ransomware groups typically target widely-used tools like MOVEit Transfer.
The hack was first announced on 31 May by Progress Software, the makers of MOVEit. Since the initial MOVEit disclosure, researchers have found many security issues within the software which means it is possible that the data was stolen in a different way by a different group.
On Friday, the US announced a $10 million reward for information linking the Clop gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government.