Prudential Financial, a prominent global financial services company, has disclosed that a February data breach compromised the personal information of more than 2.5 million people. The breach was detailed in an 8-K form filed with the U.S. Securities and Exchange Commission (SEC).
Incident Details
The breach, detected on February 5, occurred just one day after attackers infiltrated Prudential’s systems. The cybercriminals, suspected to be part of a known cybercrime group, accessed administrative data, user data, and accounts of employees and contractors.
In March, Prudential reported to the Maine Attorney General's Office that over 36,000 individuals had their personal information stolen during the breach. This included names, driver's license numbers, and non-driver identification card numbers.
Prudential stated, "Through the investigation, we learned that the unauthorized third party gained access to our network on February 4, 2024 and removed a small percentage of personal information from our systems. As part of our response, we have worked with leading cybersecurity experts to confirm the unauthorized third party no longer has access to our company systems."
However, a recent update from the company has revealed the true scale of the breach, with 2,556,210 people affected.
The Role of ALPHV/Blackcat Ransomware Gang
The ALPHV/Blackcat ransomware gang claimed responsibility for the attack on February 13. This group is notorious for its sophisticated operations, having been linked by the FBI to over 60 breaches worldwide within its first four months of activity. The gang allegedly amassed at least $300 million from over 1,000 victims up to September 2023.
ALPHV is also known for its abrupt shutdown after an exit scam, where it stole a $22 million ransom from Notchy, an affiliate involved in the Change Healthcare breach.
Previous Incidents
This breach follows another significant exposure for Prudential. In May 2023, the personal information of an additional 320,000 customers was exposed after the Clop cybercrime gang hacked the MOVEit Transfer file-sharing platform of Pension Benefit Information (PBI), a third-party vendor handling Prudential’s data. The compromised data included names, addresses, dates of birth, phone numbers, and Social Security numbers.
Compliance and Response Issues
The delay in notifying affected consumers has raised compliance concerns. Rogier Fischer, CEO and Co-Founder of Hadrian Security, highlighted several issues: "Although the finer details of the attack and the damage are not yet out, the breach notification throws up several compliance issues. There was a 52-day delay in notifying consumers of the breach, which exceeds the 30-day limit mandated by many state laws such as the Maine Data Security Breach Notification Law."
Fischer also pointed out the potential for automated systems to prevent such breaches: "Automated breach testing and compliance reporting could have identified vulnerabilities, ensured policy enforcement, and facilitated quicker responses to risks, thereby preventing the breach. These systems could have also flagged the need for improved employee training to mitigate social engineering risks."
Moving Forward
As Prudential Financial continues to manage the fallout from this breach, the incident underscores the importance of robust cybersecurity measures and timely breach notifications. With the scale and frequency of such attacks increasing, companies must ensure stringent data protection and rapid response protocols to safeguard sensitive information and maintain consumer trust.