American insurance firm Prudential has revised a breach notice for a cyber attack that hit the company in February 2024, now stating that over 2.5 million individuals had their data stolen.
The company’s initial filing to the Attorney General’s Office in Maine listed the number of affected persons as 36,545, revealing a drastic increase in the scope of the attack.
One of the major life insurance providers in the US and beyond, Prudential boasts approximately 50 million customers around the world.
According to Prudential, the attackers were able to access these individuals’ names and other personal identifiers, as well as their driver’s license numbers and other non-driver ID card numbers.
It is not clear what led to this revision, ITPro has approached Prudential Financial for clarification on this development and received the following statement:
"As a part of our response to the cybersecurity incident disclosed in February, Prudential worked diligently to complete a complex analysis of the affected data and notify individuals, as appropriate, on a rolling basis starting on March 29, 2024.
"Prudential’s notifications are substantially complete at this time. We are providing all affected individuals with 24 months of complimentary credit monitoring as an additional protection."
"We take this incident and our responsibility to protect personal information extremely seriously. We have taken, and will continue to take, proactive measures to enhance our security protocols, and protect our systems and data.”
In a statement given to The Record, a spokesperson for Prudential said the information leaked during the incident was different for each individual.
Prudential incident highlights “disjointed” security practices
The initial breach took place on 2 February 2024 and was discovered two days later, according to the filing, with a description of the incident listed as a social engineering attack.
“Through the investigation, we learned that the unauthorized third party gained access to our network on February 4, 2024, and removed a small percentage of personal information from our system”
Prudential has not shared any further information on the threat actors behind the attack, but did not directly refute claims from ALPHV/Blackcat that it was responsible for the attack.
ALPHV added Prudential to its dedicated leak site on 16 February 2024, although they did not provide any sample data of proof of their access.
Nick Tausek, lead security automation architect at Swimlane suggested that disjointed tooling across an increasingly complicated technology stack is leaving security gaps in many organization’s network perimeter, and threat actors are targeting these weak spots.
"While their security teams need various tools to protect complex technology environments, disjointed tools that lack cross-communication and cloud integration are straining team bandwidth and creating security gaps,” he said.
“Cyber criminals are taking advantage of these gaps, leading to frequent and costly breaches. According to a recent report from Swimlane and Omdia, 42% of financial organizations have had at least one breach with a total cost of $1M in the last 12 months, with 20% experiencing a breach with a total cost of more than $5M.”
