MOVEit hack claims Calpers and Genworth as millions more victims impacted

(Reuters) -The number of victims of the MOVEit hack grew by several million on Thursday after the biggest U.S. pension fund, Calpers, and insurer Genworth Financial said personal information of their members and customers had been compromised.

Both said a third-party vendor, PBI Research Services, was affected in a data theft hack, providing a path for the hackers to then steal customer data. PBI could not be reached for comment.

Calpers said on June 6, 2023, PBI told them of a “vulnerability” in their MOVEit Transfer software that allowed hackers to download “our data”. The fund said approximately 769,000 members, that include retirees and beneficiaries, were impacted.

The MOVEit software is widely-used by organizations around the world to share sensitive data.

Genworth Financial was harder hit, saying personal information of nearly 2.5 million to 2.7 million of its customers was breached.

“The personal information of a significant number of insurance policyholders or other customers of its life insurance businesses was unlawfully accessed,” Genworth said.

The hack did not impact Genworth’s information systems and there has been no “material interruption” of its business operations, the company said.

Genworth also does not use the MOVEit software application, a spokesperson for the company said.

From U.S. government departments to the UK’s telecom regulator and energy giant Shell, a range of victims have emerged since Burlington, Massachusetts-based Progress Software found the security flaw in its MOVEit Transfer product last month.

The insurer said it is working to ensure “protection services” are provided to the impacted individuals, according to a regulatory filing.

Data taken from Calpers included members’ first and last name, date of birth and social security number. It serves more than 2 million members in its retirement system.

The MOVEit hack has hit several state and federal agencies. Last week, the U.S. Department of Energy got ransom requests from the Russia-linked extortion group Cl0p at both its nuclear waste facility and scientific education facility that were recently hit in a global hacking campaign.

Data was compromised at the two DOE entities after hackers breached their systems through a security flaw in MOVEit Transfer.

The wide-ranging impact of the hack shows how even the most security-minded federal agencies are struggling to defend against ransomware attacks. Ransomware gangs typically scour for such widely-used tools.

(Reporting by Niket Nishant in Bengaluru and Chris Sanders in Washington DC; Editing by Maju Samuel, Daniel Wallis and David Evans)