Ransomware Gang Has 6M Life and Annuity Client Records
What You Need to Know
Federal investigators say the MOVEit attack organizer is great at what it does.
The biggest victim may be the U.S. Department of Health and Human Services.
A flood of stolen data has cut the price of a Social Security number on the dark web to $1.
Companies that write and reinsure your clients’ life insurance policies and annuity contracts say the Clop Ransomware Gang has stolen personal records for at least 6 million people, and that many of the stolen records include Social Security numbers.
The life and annuity issuers are caught up in a massive cyberattack that has affected hundreds of companies and government agencies throughout the world since late May. Affected life insurers and reinsurers use a file transfer system called MOVEit to exchange data with PBI Research Services. Since January, the Clop gang has been using a vulnerability in the file transfer system to install ransomware software on organizations’ computers.
Clop announced on June 7 in a blog post that it would begin publishing stolen client information if affected companies did not make ransom payments by June 14. The organization appears to be continuing to negotiate with some victims, but it has started posting some of the affected records on a site on the “dark web,” according to press reports.
The total number of affected life and annuity customers may be much smaller than the number of records affected. Some people may have had two or more life or annuity products included in the hacked data. A life insurer and a reinsurer also may have had separate affected records related to the same underlying product.
What It Means
Thieves, blackmailers and other foes who want to see your clients’ personal information and get into their retirement accounts, annuity accounts, life insurance accounts and other accounts may now find it cheaper and easier to accomplish those tasks.
Known Life, Health & Annuity Clop Victims
Here’s a look at some of the companies affected by the Clop attack and the number of policyholders and other customers who might have been involved, based on SEC filings and reports to the Maine attorney general’s office, which has an especially well-organized, easy-to-use incident report database.
Genworth Financial: 5 million to 2.7 million
Wilton Re: 5 million
F&G Annuities & Life: 873,000
Jackson National: 700,000
Talcott Resolution Life: 552,821
Corebridge Financial: Number not provided
The companies affected say that they have been working with PBI Research Services and law enforcement authorities to respond to the attack; that they are providing access to identity theft protection services for the affected people; that they are still assessing the cost of dealing with the attack; and that they do not think that the attack will cause material harm to their operations and financial results.
Jackson noted that it detected unauthorized access to two servers as a result of the attack, but that the scope of the attack was much narrower than the scope of the PBI attack.
“Notably, the unauthorized actor did not gain access to any other systems or software, there was no interruption of Jackson’s business operations,” the company said in an SEC filing.
Other Victims
The Clop gang’s new MOVEit-based attack has affected organizations of all kinds.
Bloomberg reported last week that one of the affected organizations is the U.S. Department of Health and Human Services, the agency that oversees Medicare.
HHS also has arms to promote health data security and punish hospitals, health insurers and other organizations with weak health data security.
Bloomberg found that the HHS hack may have compromised the records of 15 million people.
Clop
The Clop Ransomware Gang, which is also known as TA505, is a large distributor of phishing software and malware delivered through spam. It has compromised about 8,000 organizations around the world, according to an FBI-CISA advisory.
The gang “is known for frequently changing malware and driving global trends in criminal malware distribution,” officials said.
The gang offers a range of data access services, including sending the emails used to trick legitimate system users into revealing their passwords; paying outside “initial access brokers” for access to hacked systems; and selling access to the hacked systems to other organizations.
Hackers created Clop’s ransomware system by modifying an older ransomware program, CryptoMix. Law enforcement officials first noticed the Clop ransomware system in action in February 2019.
In late January 2023, the Clop gang used a vulnerability in one file transfer system to install ransomware software on organizations’ computers. It then warned the executives that it would publish their stolen data if the organizations did not make ransom payments, according to the FBI-CISA advisory.
MOVEit
MOVEit is a file transfer system that was released by Standard Networks in 2002. The original version runs on an organization’s own computers.
Ipswitch, a software developer based in Galway, Ireland, acquired Standard Networks in 2008. It released MOVEit Cloud, a file transfer system that operates on outside computers reached through the internet, in 2012.
