PBI Research Services Suffers Data Breach, Millions of Customers’ Sensitive Data Exposed

IT Services provider PBI Research Services has fallen victim to a data breach, with three of its clients disclosing that the data of 4.75 million people was stolen in recent MOVEit Transfer data theft attacks. The attacks began on May 27th, 2023, when the Clop ransomware gang allegedly exploited a zero-day vulnerability in MOVEit Transfer to steal data from hundreds of companies. Over the past week, the Clop gang began extorting companies by gradually listing impacted organizations on its data leak site to pressure victims to pay a ransom demand.

According to three different disclosures from PBI clients, millions of customers have had their sensitive data exposed in these attacks. However, this number may increase as other companies make further disclosures.

The first impacted entity is Genworth Financial, a Virginia-based life insurance services provider. In a MOVEit Security Event notice published on their website, Genworth says PBI informed them of the security breach on May 29th, 2023, and verified on June 16th that customers’ personal data was stolen. The firm estimates that the data breach impacted between 2.5 and 2.7 million individuals who are either its customers (insurance, annuity, long-term care) or working for them as insurance agents. The exposed data includes the full name, date of birth, social security number, zip code, state of residence, policy number, and agent ID (for agents). Genworth emphasized that this attack did not affect its own systems and network or its business operations, as it does not use the MOVEit or GoAnywhere products.

Affected individuals will receive notices of a data breach in the coming weeks, which will contain instructions on enrolling for free-of-charge credit monitoring and identity theft protection services.

The second firm impacted by the PBI breach is New York-based insurance provider Wilton Reassurance, which reports that 1,482,490 of its customers had data stolen. As reported to the Office of the Maine Attorney General, the exposed information includes customers’ names and social security numbers. Wilton Reassurance has informed that they will provide 12 months of free identity theft protection and credit monitoring services through Kroll to impacted individuals.

The third company impacted by PBI’s data breach is CalPERS (California Public Employees’ Retirement System), the largest public pension fund in the United States, which is now informing retirees and beneficiaries about the event. CalPERS says it responded to the situation immediately after learning about the breach and took actions to secure its members’ benefits and data by strengthening its data management protocols that pertain to working with contractors. The agency says approximately 769,000 of its members were impacted by the security incident, who will all receive notification letters with detailed information on how to access two years of free credit monitoring service through Experian.

As of the time of writing, PBI Research Services has not been listed on Clop’s data leak site. While this could mean that the company is negotiating with the threat actors not to release data, it could also mean that Clop has not begun extorting the organization yet.

We have reached out to PBI Research Services for comment on the situation but have not received a response as of publication.