Hackers accessed to American National Insurance and Sun Life's insurance data

The number of organizations affected by a recently exploited vulnerability in a popular file transfer tool surpassed 250 as major corporations like Radisson Hotels and some major insurance companies confirmed that their data was accessed by hackers exploiting a vulnerability in the software (see 5 Key Benefits of Ransomware Insurance).

American National Insurance Company, one of the biggest in the U.S., also confirmed that Progress Software is one of its vendors and that an investigation has been started into what data may have been accessed by the Clop ransomware group – which has been the primary gang of hackers exploiting the MOVEit vulnerability and extorting victims.

Sun Life, one of Canada’s largest insurance providers, said that data belonging to some of its U.S. customers was compromised after one of its vendors — Pension Benefit Information (PBI) — had a server accessed by an unauthorized third party as part of the global attack.

Sun Life says it shares certain information with PBI to support business operations such as paying life insurance and related benefits in a timely manner. Additionally, PBI uses MOVEit to transfer files internally and between parties (see Future of Global Cyber Insurance Market).

Hackers were able to access information such as name, Social Security ‎Number, policy and account number, and/or date of birth of some members and account holders.‎

However, no financial information like account values or medical claims were exposed, according to a notice from Sun Life U.S.

The company assured its members they take information security “very seriously” and are conducting an investigation with PBI.

Insurer adds members are encouraged to personally monitor their accounts and credit history for “signs of unauthorized activity,” and to change their account passwords – even though the latter were not exposed in the breach.

Hackers accessed to American National Insurance and Sun Life's insurance data

The company also recommends customers place credit card freezes or fraud alerts with credit bureaus such as Equifax, Experian and TransUnion for an additional layer of protection against misuse of personal information. 

Many of the victims are coming from governments or universities – most of which are involved in the incident due to their connection to PBI Research Services, the National Student Clearinghouse (NSC) or the Teachers Insurance and Annuity Association of America (TIAA).

Officials from the University of Illinois told that they are communicating with students, faculty and staff about the incident after discovering information from their school was involved.

There has been a steady stream of announcements from dozens of the biggest schools, banks and companies in the world confirming their exposure to the MOVEit issue – the third file transfer vulnerability exploited by the Clop ransomware group in the last two years.

TD Ameritrade, law firms Kirkland & Ellis, Proskauer Rose and K&L Gates have come forward to confirm that they were affected.

Emsisoft ransomware expert Brett Callow, who has kept a running tally of victims, said the number has now reached 254, with the information of at least 17.7 million people exposed.

MOVEit is a managed file transfer software product produced by Ipswitch, Inc. (now part of Progress Software).

MOVEit encrypts files and uses secure File Transfer Protocols to transfer data, as well as providing automation services, analytics and failover options.

The software has been used in the healthcare industry by companies such as Rochester Hospital and Medibank, as well as thousands of IT departments in high technology, government, and financial service companies like Zellis.

In 2023, it was published that the May 31 2023 zero-day vulnerability had been exploited by attackers.

On 7 June 2023, cyber gang Clop, believed to be Russian-based, made a blog posting saying that they had gained access to MOVEit transactions worldwide, and that organisations using MOVEit had until 14 June to contact Clop and pay a ransom, otherwise stolen information would be published

Details typically include payroll data with fields such as home addresses, National Insurance numbers, and bank details, but vary. The group said that they had information from eight UK organisations including the BBC, derived by an attack on payroll services provider Zellis.

It was surmised that contact via blog post rather than email to victims might be due to the enormous number of victims, being too many to handle individually.

Nataly Kramer   by Nataly Kramer