PBI Data Breach: Everything You Need to Know

June 20, 2024
·
3 min
deleteme

Protect yourself from future breaches

Of recent cybersecurity incidents, the Pension Benefit Information LLC (PBI) data breach was one of the most serious, due to the protected information that was seized. 

What went wrong in the PBI database? Why was such a large company unable to protect its client base’s sensitive information? And what was the fallout?

Let's dive deep into what occurred, what the implications are, and how you can safeguard your personal information against similar incidents in the future.

What happened in the PBI data breach?

The PBI data breach involves a lot of moving parts.

PBI is a third-party vendor that provides data verification services for insurance agencies, financial institutions, and other organizations. Its primary role is to hold and update data so its collaborators can manage pension and insurance policies while reducing fraud and making sure benefits are correctly distributed. A lot of this information is highly sensitive, involving names, addresses, dates of birth, and social security numbers. 

The main takeaway here is that PBI holds a lot of sensitive data for many different companies, making it a prime target for a group like the Clop ransomware gang. Clop’s wider target was Progress Software’s MOVEit Transfer file-sharing solution, meaning PBI was just one of many companies affected.

Traditionally, hackers would steal data, and then extort money from businesses to keep these embarrassing data breaches quiet. However, a recent Coveware report suggested that in 2023, only 34% of victims paid. Instead, they would simply report the leak and suggest how to mitigate the outcomes. 

Therefore, hackers changed tactics, targeting a vast amount of companies at the same time, i.e. users of MOVEit. As long as a few victims pay up to the high demands, it’s worthwhile for the hackers. 

A timeline of the PBI data breach

May 27, 2023 The Clop ransomware gang begins attacking a zero-day vulnerability (a previously unknown security flaw) in third-party MOVEit, which PBI was using for file transfer. Both PBI and MOVEit were utterly blindsided by the event. 

June 2, 2023 — PBI becomes aware of the compromise, patches the gap, and launches an internal PBI data breach investigation.

June 4, 2023 — PBI starts sending notifications to affected individuals, offering 12 or 24 months of free credit monitoring and identity theft protection services. 

Is there a PBI data breach investigation?

Yes, PBI immediately launched an investigation into the attack, supported by a team of cybersecurity and privacy experts. This investigation identified that the breach only affected clients whose data was transferred using the MOVEit portal, and the ransomware gang did not gain access to PBI’s systems.

PBI’s collaborating companies also launched their own investigations. For example, Milliman Solutions alerted the HHS Office for Civil Rights and the Attorney General of Maine.

The extent and impact of the PBI data breach

The PBI data breach was primarily an attack on MOVEit, an app used by federal and state governments, universities, healthcare organizations, and corporations worldwide. 

It’s difficult to put a number on the amount of people affected, due to PBI playing a role in the workflows of such a great number of companies. However, the company announced in mid-July 2023 that it was up to over 1.2 million people

Subsequent announcements from companies PBI works with have pushed that number to at least ten times higher. For example, 2.5 to 2.7 million Genworth Financial clients and almost 1.5 million Wilton Reassurance customers were hit. 

It was well worth it for the hackers themselves, however, who earned an expected $75 million to $100 million by extorting the victims of their attack. 

What companies were affected by the PBI data breach?

There is no exhaustive list of every party impacted yet. PBI has contracts with thousands of companies worldwide, increasing the number of consumers affected. Some of the organizations include: 

  • Genworth Financial
  • Wilton Reassurance
  • CalPERS
  • CalSTRS
  • MEMBERS Life Insurance Company 
  • CMFG Life Insurance Company
  • The Independent Order of Foresters
  • Virginia Retirement System
  • Central States Pension Fund

Anyone who is currently paying into or receiving pension benefits or who has worked with an agency to procure insurance should check to make sure that their data was not compromised. 

What data was leaked and exposed in the PBI breach?

The personal data that was reportedly leaked in the breach includes, but isn’t limited to:

  • Full name
  • Date of birth
  • Social security number
  • Zip code
  • State of residence
  • Policy number
  • Agent ID (for agents)

The compromised data is particularly sensitive since it comprised personal identifiers like names and addresses, but more alarmingly, also included social security numbers. Such information can be misused for identity theft, financial fraud, and other malicious activities.

How do I know if I was a victim of the PBI breach?

PBI claims to have contacted all impacted clients directly. If you haven’t been contacted, it is unlikely that you are a victim. 

To make sure, head to Have I Been Breached to see if your email address or phone number was involved in the PBI data breach or any others.

What to do if the PBI breach impacted you

You need to act swiftly if you believe your data might have been compromised. Prompt action can mitigate potential harm and secure your information.

Once you receive confirmation that your personal information may have been a part of the PBI data breach, there are several steps you should take immediately:

1. Monitor your credit and online information

Set up credit monitoring to check for identity theft and potential fraud. You can either manually monitor your information or use a credit monitoring tool to scan your accounts for any unusual spending or behavior.

You can also actively scan and remove personal information from the web. Enter your phone number, Cloaked’s risk assessment scan will determine your level of risk, before deleting any occurrences in 120+ data brokers and websites. This helps to make you less vulnerable to fraud, scams, and phishing attempts. 

2. Change your passwords 

The PBI data breach is a wake-up call to millions that they need to keep themselves safe online. Changing your password to affected accounts is the quickest and easiest way to do that. Mix uppercase and lowercase letters, numbers, and special characters to repel hackers.

Reusing the same password is unsafe—no matter how strong it is. If a cybercriminal gets their hands on it through a breach like PBI’s, they could waltz into all your accounts.

Remembering numerous passwords can be challenging, which is why many people turn to reliable password managers. While Google Password Manager is convenient and integrated with Chrome, it can be a prime target for hackers and has limited security features compared to more advanced options. 

Advanced password managers like Cloaked can generate complex passwords effortlessly and secure them with encrypted, password-protected links and one-time passcodes.

Cloaked’s password manager enhances your online security by masking your identity and offering two-factor authentication to protect against unauthorized access. 

3. Ask for additional resources

Seek additional resources provided by your state, agency, or institution to help offset the risk. 

Stay in contact with your most trusted agencies to stay informed of what’s going on and of any additional measures you need to take to protect yourself. 

For example, the Virginia Retirement System, Central States Pension Fund, and the Tennessee State Employers Association all provide updates to their clients and members.

4. Learn about lawsuits and PBI data breach compensation

Several class-action lawsuits have been filed against PBI in response to the data breach. The lawsuits allege negligence in data security measures and seek compensation for damages incurred by the affected individuals. 

PBI data breach compensation claims typically include costs for identity theft protection, reimbursement for financial losses, and damages for emotional distress. Although data leaked in the PBI case didn’t necessarily include personal health information (PHI), it could have been in the same data set as PHI, so it qualifies as a HIPAA data breach

Corporations such as The Lyon Firm are running legal proceedings on behalf of plaintiffs nationwide. Affected individuals are encouraged to join the class-action suits if they have experienced significant impacts due to the breach.

5. Protect your personal data online

As online identity protection becomes crucial, Cloaked offers a comprehensive solution to keep you safe:

  • Disposable email addresses: Use anonymous emails for registrations, ensuring companies only see your “Cloaked” address and not your real address.
  • Temporary phone numbers: Generate temporary numbers for services, protecting your real number and enhancing privacy.
  • Privacy browser extensions: Block trackers and ads to keep your online activity anonymous and reduce data collection.
  • Safely share logins Share encrypted logins and passwords with select recipients and set time limits to prevent misuse of real-life data.
  • One-time passcodes: Store and autofill one-time passcodes across devices for secure logins.
  • Sensitive information storage: Save and control access to additional sensitive information like bank details and API keys.
  • Data removal: Cloaked monitors, deletes, and protects your personal information online.
  • Identity theft insurance: Bundle Identity Theft Protection with your Cloaked subscription which include $1 million dollars in comprehensive coverage. 
  • Virtual credit cards (currently in friends and family beta): Create single or limited-use virtual cards to safeguard your financial information during transactions.

Find out more about how Cloaked works.

Learn more about the PBI data breach

The PBI data breach has raised many questions, concerns, and suspicions among those affected. This FAQ section aims to provide clear and concise answers to some of the most pressing inquiries. 

Is a PBI data breach letter legitimate?

There is indeed a legitimate PBI data breach that the company claims it has sent out to all affected clients. These letters inform recipients about the incident, the type of data that was potentially exposed, and the steps they should take to protect themselves. If you receive such a letter, follow the recommended actions, such as monitoring your financial accounts and changing your passwords.

That said, it’s good to be suspicious of letters designed to shock you into action, especially when you don’t recognize the sender and they ask you to provide sensitive information to sign up for a new service. To give you more confidence, you can find an image featuring a template of the PBI data breach letter below. 

Source: Office of the Maine Attorney General

Was there a data breach with PBI?

Yes, there was a significant data breach involving PBI. Hackers exploited a vulnerability in MOVEit, a file transfer software that PBI and many other organizations were using. The attack exposed sensitive personal information, including the names, addresses, dates of birth, and social security numbers of millions of individuals. 

Resulting investigations led to heightened security measures to prevent similar incidents in the future. 

Is PBI a legitimate company?

PBI, or Pension Benefit Information LLC, is a legitimate company. It is a reputable third-party vendor that provides data verification services for insurance agencies, financial institutions, and other organizations. PBI verifies beneficiary information and ensures the accuracy of records held by these institutions. 

Despite the recent data breach, PBI continues to operate as a trusted entity in the financial and insurance sectors and is working to enhance its security measures and protect the data it manages.

Protect yourself from the PBI data breach and beyond 

In an increasingly digital world, data breaches like the PBI incident remind us of the vulnerabilities that exist. Staying informed, vigilant, and proactive in safeguarding personal data is more crucial than ever. As consumers, it's essential to understand the digital landscape's risks and equip ourselves with knowledge and resources.

One of the best ways to limit your personal data breach risk is to share as little personally identifiable information as possible. Create unique identities for every new account or connect using Cloaked, and control what you share and who you share it with. 

Start protecting yourself online today.

Other data breaches to know about

AT&T

Temu

Luxottica

Chick-Fil-A

MOVEit

Reventics

23andMe

LastPass

Bricklink

Carvin Wilson

Mr. Cooper

Helpful Links and Other Resources

To report identity theft: https://www.ftc.gov/news-events/topics/identity-theft/report-identity-theft

To freeze your credit: https://www.usa.gov/credit-freeze

Current information on the PBI data breach: https://www.pbinfo.com/the-moveit-cyberattack-what-happened-pbis-response-whats-next

Information on how to protect your data:

https://www.cloaked.app/post/how-do-i-limit-the-data-i-share-online

https://www.cloaked.app/post/data-collection-red-flags-what-to-look-for-in-privacy-policies

Protect yourself from future breaches

View all
Data Breaches
September 30, 2024

Recognizing Phishing Attempts in Online Dating: Tales from the Digital Love Hunt

Recognizing Phishing Attempts in Online Dating: Tales from the Digital Love Hunt

by
Pulkit Gupta
Data Breaches
September 30, 2024

Recognizing Phishing Attempts in Online Dating: Tales from the Digital Love Hunt

Recognizing Phishing Attempts in Online Dating: Tales from the Digital Love Hunt

by
Pulkit Gupta
Data Breaches
September 17, 2024

Navigating the Maze of Third-Party Vendor Management: A Guide for Small Business Owners

Navigating the Maze of Third-Party Vendor Management: A Guide for Small Business Owners

by
Arjun Bhatnagar
Data Breaches
September 17, 2024

Navigating the Maze of Third-Party Vendor Management: A Guide for Small Business Owners

Navigating the Maze of Third-Party Vendor Management: A Guide for Small Business Owners

by
Arjun Bhatnagar
Data Breaches
September 16, 2024

Navigating the Storm: Crafting an Effective Incident Response Plan for Small Business Owners

Navigating the Storm: Crafting an Effective Incident Response Plan for Small Business Owners

by
Pulkit Gupta
Data Breaches
September 16, 2024

Navigating the Storm: Crafting an Effective Incident Response Plan for Small Business Owners

Navigating the Storm: Crafting an Effective Incident Response Plan for Small Business Owners

by
Pulkit Gupta