Personal Data of 2.5M Genworth Policyholders and 769K Retired California Employees and Beneficiaries Hacked

The data breach of MOVEit file transfer software claimed more victims. The California Public Employees Retirement system (CalPERS), US’ largest public pension fund, announced that the MOVEit hack had exposed data of nearly 769,000 retired employees and beneficiaries.

The attack did not directly compromise CalPERS internal network system, rather their outsourced partner, PBI Research Services/Berwyn Group was affected by the file transfer application’s vulnerability. Closely following CalPERS announcement, US-based Genworth Financial also revealed that the same vendor’s hacking had exposed nearly 2.5 million policyholders’ data.

On June 6, 2023, CalPERS was notified of the breach, including details of the personal information downloaded by the unauthorized threat actors. Information included first and last names, date of birth, and social security numbers. It might also include names of former or current employers, spouse or domestic partner, and child or children’s details, stated CalPERS’ notification.

Similarly, on June 16, 2023, PBI notified Glenworth of the May 29-30, 2023, data breach incident. The downloaded files included personal details of policyholders’ and insurance agents like agent ID, social security number, name, date of birth, full address, and policy number. Glenworth clarified that none of its internal network system nor business operations were affected.

Nevertheless, both CalPERS and Glenworth had deployed necessary safeguards to protect the information of affected individuals, including an offering of free credit monitoring and identity theft protection services. The organizations also announced the issuance of written letters with instructions to avail these services.

The Clop ransomware gang also known as TA505 has claimed responsibility for the MOVEit Transfer attack and threatened to expose the extracted data on their dark web site. The attack which occurred last month has already claimed several victims including BBC, Ireland’s HSE, Nova Scotia government, New York City Department of Education, among others.