The New Jersey-based financial services company Prudential Financial has revealed that the February data breach affected 2.5 million individuals.
“Through the investigation, we learned that the unauthorized third party gained access to our network on February 4, 2024, and removed a small percentage of personal information from our systems,” the company said in February.
Prudential learned of the incident on February 5 and responded by initiating its internal incident response protocols, notifying relevant regulatory and law enforcement authorities, and launching an investigation.
The probe involving external cyber forensics experts determined the data breach impacted 36,000 individuals and leaked their names, driver’s license numbers, and non-driver identification card numbers.
Prudential also told the US Securities and Exchange Commission that the incident had no material impact on the company’s operations or financial position and that it did “not have any evidence that the threat actor has taken customer or client data.”
While the company did not attribute the cyber attack to any cyber gang, the ALPHV/BlackCat ransomware group claimed responsibility for the prudential financial data breach and listed the company on its data leak site.
Prudential financial services company data breach impacted 2.5 million people
The financial services company continued investigating the February 4 cyber attack to determine its full scope, leading to the recent discovery.
“As a part of our response to the cybersecurity incident disclosed in February, Prudential worked diligently to complete a complex analysis of the affected data and notify individuals, as appropriate, on a rolling basis starting on March 29, 2024,” the company said.
The investigation determined that the data breach impacted more individuals than Prudential had initially anticipated.
According to a new regulatory filing with the Maine Attorney General’s Office, the February data breach impacted 2,556,210 people, a far cry from the 36,545 previously reported.
The insurance company also revised its statement regarding the nature of information stolen which now includes names, addresses, driver’s license numbers, and identification card numbers.
The financial services company had initially disclosed that the threat actor used social engineering tactics to gain access. However, the recent filing does not specify the tactic used to gain initial access.
“While their security teams need various tools to protect complex technology environments, disjointed tools that lack cross-communication and cloud integration are straining team bandwidth and creating security gaps,” said Nick Tausek, Lead Security Automation Architect at Swimlane. “Cybercriminals are taking advantage of these gaps, leading to frequent and costly breaches. According to a recent report from Swimlane and Omdia, 42% of financial organizations have had at least one breach with a total cost of $1M in the last 12 months, with 20% experiencing a breach with a total cost of more than $5M.”
Financial services company resolved the cybersecurity threat
However, Prudential said it worked with leading cybersecurity experts to terminate the threat actor’s access.
“As part of our response, we have worked with leading cybersecurity experts to confirm the unauthorized third party no longer has access to our company systems,” said the company.
Prudential is also offering 24 months of Kroll credit monitoring as an additional protection from identity theft and fraud. When Prudential first filed the data breach notification, there was no evidence that the threat actor had misused the stolen information.
The financial services company also promised to continue taking “proactive measures to enhance our security protocols, and protect our systems and data.”
However, the financial services company has suffered previous data breaches in the last 12 months. In May 2023, Prudential was affected by the MOVEit data breach that exposed the personal data of 320,840 customers.
Meanwhile, the financial services company faces a class action lawsuit for allegedly failing to protect personal information in its possession, resulting in the February data breach.
“Although the finer details of the attack and the damage are not yet out, the breach notification throws up several compliance issues,” said Rogier Fischer, CEO and Co-Founder of Hadrian Security. “There was a 52-day delay in notifying consumers of the breach, which exceeds the 30-day limit mandated by many state laws such as the Maine Data Security Breach Notification Law.”