Cyber Security Threat Summary:
PBI Research Services has experienced a data breach, resulting in the disclosure of sensitive information for approximately 4.75 million individuals. This breach occured during the recent series of data-theft attacks targeting MOVEit Transfer. The attacks, initiated by the Clop ransomware gang, commenced on May 27th, 2023. Exploiting a previously unknown vulnerability in MOVEit Transfer, the gang proceeded to extract data from nemerious companies, including PBI and its three clients. In recent days, the Clop gang has adopted an extortion strategy gradually revealing the names of affected organizations on their data leak site. The tactic aims to exert pressure on victims, compelling them to meet the gang's ransom demands.

“According to three different disclosures from PBI clients, millions of customers have had their sensitive data exposed in these attacks. However, this number may increase as other companies make further disclosures. The first impacted entity is Genworth Financial, a Virginia-based life insurance services provider. In a MOVEit Security Event notice published on their website, Genworth says PBI informed them of the security breach on June 16, 2023, and subsequently verified that customers' personal data was stolen. The firm estimates that the data breach impacted between 2.5 and 2.7 million individuals who are either its customers (insurance, annuity, long-term care) or working for them as insurance agents” (Bleeping Computer, 2023).

The compromised data includes sensitive information such as customers full name, date of birth, social security number, zip code, state of residence, policy number, and agent ID (for agents). Genworth financial emphasizes that their own systems, network, and business operations remain unaffected by this attack since they do not utilize the MOVEit or GoAnywhere products. Individuals impacted by the breach will receive data breach notifications in the coming weeks. The notifications will provide detailed instructions on how to enroll in complimentary credit monitoring and identity theft protection services.

The third company impacted by PBI’s data breach is CalPERS (California Public Employees’ Retirement System), the largest public pension funding the US, which is now informing retirees and beneficiaries about the event. CalPERS has issued a notice on its website, revealing that it promptly responded to the breach as soon as they became aware of the incident. Immediate measures were taken to safeguard the benefits and data of its members. This involved enhancing the data management protocols related to collaborations with contractors. The agency disclosed that approximately 796,000 of its members have been affected by the security incident. All impacted individuals will receive notification letters containing comprehensive instructions on how to avail themselves of a two-year credit monitoring service provided by Experian, free of charge. This service aims to assist members in monitoring and protecting credit profiles during this period.

Security Officer Comments:
Currently, PBI Research Services does not appear of Clop’s data leak site. There are two potential reasons for this; either the company is engaged in negotiations with the threat actors to prevent data release, or Clop has not yet initiated extortion activities targeting PBI Research Services. A spokesperson for PBI Research Services has provided a statement to Bleeping Computer explaining that PBI does utilize the MOVEit file transfer application in collaboration with several clients. Toward the end of May, Progress Software discovered a zero-day vulnerability within MOVEit software. In response, PBI swiftly applied a patch to its MOVEit instance, assembled a team of cybersecurity and privacy experts, notified law enforcement, and initiated communication with potentially affected clients. PBI is actively working alongside impacted clients to identify individuals who may have been affected and develop comprehensive notification plans.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://www.bleepingcomputer.com/ne...worth-calpers-as-data-for-32-million-exposed/