Ransomware Gang Has 6M Life and Annuity Client Records

News July 06, 2023 at 10:44 AM
Share & Print

Companies that write and reinsure your clients' life insurance policies and annuity contracts say the Clop Ransomware Gang has stolen personal records for at least 6 million people, and that many of the stolen records include Social Security numbers.

The life and annuity issuers are caught up in a massive cyberattack that has affected hundreds of companies and government agencies throughout the world since late May.

Affected life insurers and reinsurers use a file transfer system called MOVEit to exchange data with PBI Research Services. Since January, the Clop gang has been using a vulnerability in the file transfer system to install ransomware software on organizations' computers.

Clop announced on June 7 in a blog post that it would begin publishing stolen client information if affected companies did not make ransom payments by June 14. The organization appears to be continuing to negotiate with some victims, but it has started posting some of the affected records on a site on the "dark web," according to press reports.

The total number of affected life and annuity customers may be much smaller than the number of records affected. Some people may have had two or more life or annuity products included in the hacked data. A life insurer and a reinsurer also may have had separate affected records related to the same underlying product.

What It Means

Thieves, blackmailers and other foes who want to see your clients' personal information and get into their retirement accounts, annuity accounts, life insurance accounts and other accounts may now find it cheaper and easier to accomplish those tasks.

Known Life, Health & Annuity Clop Victims

Here's a look at some of the companies affected by the Clop attack and the number of policyholders and other customers who might have been involved, based on SEC filings and reports to the Maine attorney general's office, which has an especially well-organized, easy-to-use incident report database.

  • Genworth Financial: 2.5 million to 2.7 million
  • Wilton Re: 1.5 million
  • F&G Annuities & Life: 873,000
  • Jackson National: 700,000
  • Talcott Resolution Life: 552,821
  • Corebridge Financial: Number not provided

The affected firms say they have been working with PBI Research Services and law enforcement authorities to respond to the attack, are providing access to identity theft protection services for the affected people, are still assessing the cost of dealing with the attack, and do not think that the attack will cause material harm to their operations and financial results.

Jackson noted that it detected unauthorized access to two servers as a result of the attack, but that the scope of the attack was much narrower than the scope of the PBI attack.

"Notably, the unauthorized actor did not gain access to any other systems or software, there was no interruption of Jackson's business operations," the company said in an SEC filing.

Other Victims

The Clop gang's new MOVEit-based attack has affected organizations of all kinds.

Bloomberg reported last week that one of the affected organizations is the U.S. Department of Health and Human Services, the agency that oversees Medicare.

HHS also has arms to promote health data security and punish hospitals, health insurers and other organizations with weak health data security.

Bloomberg found that the HHS hack may have compromised the records of 15 million people.

Clop

The Clop Ransomware Gang, which is also known as TA505, is a large distributor of phishing software and malware delivered through spam. It has compromised about 8,000 organizations around the world, according to an FBI-CISA advisory.

The gang "is known for frequently changing malware and driving global trends in criminal malware distribution," officials said.

The gang offers a range of data access services, including sending the emails used to trick legitimate system users into revealing their passwords; paying outside "initial access brokers" for access to hacked systems; and selling access to the hacked systems to other organizations.

Hackers created Clop's ransomware system by modifying an older ransomware program, CryptoMix. Law enforcement officials first noticed the Clop ransomware system in action in February 2019.

In late January 2023, the Clop gang used a vulnerability in one file transfer system to install ransomware software on organizations' computers. It then warned the executives that it would publish their stolen data if the organizations did not make ransom payments, according to the FBI-CISA advisory.

MOVEit

MOVEit is a file transfer system that was released by Standard Networks in 2002. The original version runs on an organization's own computers.

Ipswitch, a software developer based in Galway, Ireland, acquired Standard Networks in 2008. It released MOVEit Cloud, a file transfer system that operates on outside computers reached through the internet, in 2012.

Progress Software, a software company based in Burlington, Massachusetts, acquired Ipswitch in 2019.

In May, the Clop gang used a vulnerability in the MOVEit software to hack into MOVEit users' MOVEit databases, install an interface called LemurLoot, and steal data from the users' MOVEit databases.

Progress discovered the vulnerability May 28. The company has been working since then to understand the problem, patch the vulnerability, notify customers and work with law enforcement agencies.

Progress and law enforcement officials emphasize that the vulnerability associated with the new wave of hacking cases was patched in May.

PBI Research Services

The Clop attack on MOVEit affected life insurers and reinsurers because many of those companies used MOVEit systems to exchange data with PBI Research Services.

PBI is a Minneapolis-based company that helps life insurance issuers, annuity issuers, pension plans and similar organizations track policyholders, annuity contract holders, plan participants and other customers and beneficiaries, to improve performance and comply with regulations.

PBI said in a statement that it learned that it was affected by the MOVEit vulnerability in late May.

The Clop attack on MOVEit "did impact a small percentage of our clients who use the MOVEit administrative portal software, resulting in access to private records," PBI said.

"This incident did not gain access to PBI's core systems or software. PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement, and contacted impacted clients," the firm said.

PBI is working with customers to notify and support individuals affected by the incident, the company said.

How to Respond

The Cybersecurity and Infrastructure Security Agency (CISA) is treating the Clop attack as a major attack and providing detailed advisories about how companies' cybersecurity teams should respond.

In June, CISA recommended in an advisory that insurers that know they are affected, or believe that they could be affected, should:

  • Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
  • Grant administration privileges and access only when necessary.
  • Establish an allowed software list that limits what can run on their systems to specified applications.
  • Monitor network hardware carefully, to see what kinds of information are flowing in and out.
  • Regularly patch and update software and applications to their latest versions.
  • Conduct regular vulnerability assessments.

In a set of answers to questions frequently asked by customers, PBI said its customers can help reduce the risk of harm related to the Clop attack by encrypting files before uploading them.

"You can also delete your own results files once you've successfully downloaded [them]," the company said.

HHS — which is involved in the Clop attack through arms that try to improve health information data security, as well as through its role as an attack data access victim — is posting Clop attack updates here.

The Cost of Records

One economic force that could eventually limit the impact of attacks comparable to the new Clop attack on MOVEit is the increasing amount of client information that's already available for a modest price online.

Keeper Security, an online account security firm, has reported that the typical Social Security number now sells for just $1, partly because people who learn they have been attacked are quick to change financial account access information.

Health records have a longer shelf life and a higher price, because attackers may be able to use the records to blackmail people or humiliate them.

"However, due to a large number of such records having been stolen recently and then dumped onto the dark web for sale, prices have dropped," Keeper said.

Complete electronic medical records may sell from $100 to $1,000 each, but the kinds of health records obtained through large-scale attacks typically sell for just $1.50 to $10 per record, Keeper estimated.

Credit: Shutterstock

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center