A large-scale data security breach has “compromised the personally identifiable information” of an estimated 42,000 Vermonters and over 38 million people across the country, the Vermont Department of Financial Regulation announced Friday.
The breach occurred when a threat actor known as CL0P Ransomware Gang infiltrated the commonly used MOVEit file-transfer software toward the end of May, according to a June 7 advisory issued by the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security.
The Cybersecurity and Infrastructure Security Agency and the FBI have offered a reward of up to $10 million for information about the hacker group.
The state Department of Financial Regulation issued a consumer alert related to the breach on July 19, warning that at least 7,000 Vermonters who held insurance policies with any Genworth North America Corp. affiliate had “certain personal information exposed.”
Since then, 42 more companies have reported data breaches related to the MOVEit file-transfer software, according to Friday’s press release. The department said the list is expected to grow as companies continue to report breaches.
Here’s a list of affected companies so far, according to the department:
- American General Life Insurance Co.
- American National Group
- Ameriprise Financial
- Athene Annuity and Life Co.
- Bank of Burlington
- Darling Consulting Group
- Elips Life Insurance Co.
- CMFG Life Insurance Co.
- Continental General Insurance Co.
- Corebridge Financial Inc.
- Fidelity & Guaranty Life Insurance Co.
- Fidelity Life Association
- Genworth North America Corp.
- Hartford Life and Accident Insurance Co.
- Illumifin Corp.
- Jackson National Life Insurance Co.
- Lombard International Life Assurance Co.
- Lumico Life Insurance Co.
- Mass Mutual Ascend
- Members Life Insurance Co.
- Manhattan National Life Insurance Co.
- New York Life Insurance Co.
- Northwestern Mutual
- PBI Research Services Inc.
- Progressive Software Services
- Prudential Insurance Co. of America
- RiverSource Life Insurance Co.
- Sovos Compliance LLC
- Starmount Life Insurance Co.
- Sun Life and Health Insurance Co. (U.S.)
- Sun Life and Health Insurance Co. of Canada (U.S.)
- Talcott Resolution Life and Annuity Insurance Co./Talcott Resolution Life Insurance Co.
- Teachers Insurance and Annuity Association of America
- TIAA Kaspick LLC
- TIAA-CREF Life Insurance Co.
- Transamerica Life Insurance Co.
- Union Fidelity Life Insurance Co.
- Union Labor Life Insurance Co.
- Union Security Insurance Co.
- United Healthcare Student Resources
- Unum Insurance
- Wilton Reassurance Co.
According to the release, many of these affected companies work with a company called PBI Research Services Inc., which provides third-party services. They include several insurance companies that operate in Vermont.
On its website, PBI said the breach affected a small percentage of its clients who use the MOVEit administrative portal software, resulting in access to private records. No access was gained to PBI’s core systems or software, the company said.
Vermonters whose data was breached should receive a letter from PBI or one of the companies listed above, the release noted. That letter will provide more details about the breach and what personal information was exposed, as well as a code to sign up for identity and credit protection. For more information on the specifics of the breach, consumers can contact PBI or one of the impacted companies.
The department encouraged Vermont consumers to “remain vigilant” against identity theft and fraud, to review account statements and to monitor free credit reports for suspicious activity or errors.