White light on keyboard showing insurance company security breach

Insurance Company Prudential Financial Discloses a Security Breach of Internal Systems

America’s second largest insurance company Prudential Financial has reported a security breach that leaked corporate and user data.

In an 8-K regulatory filing with the US Securities and Exchange Commission (SEC), Prudential said it detected the cyber incident on February 5, 2024, a day after the threat actor gained access to certain internal systems.

The Newark, New Jersey-based insurance company engaged external cybersecurity experts, activated its incident response plan, and notified law enforcement and regulatory authorities.

With over $1.4 trillion in assets, Prudential Financial is a Fortune 500 company offering various financial services, including insurance, investment management, and retirement planning. It has over 50 million customers in the United States, Europe, Asia, and Latin America and employs over 40,000 workers. In 2023, the company reported over $50 billion in revenue.

Cybercrime group behind insurance company’s security breach

Although no cybercrime gang has publicly taken credit for the Prudential Financial security breach, the insurance company attributed the incident to a professional hacking group.

“As of the date of this Report, we believe that the threat actor, who we suspect to be a cybercrime group, accessed Company administrative and user data from certain information technology systems and a small percentage of Company user accounts associated with employees and contractors,” the insurance company said.

An investigation is in progress to determine the scope of the security breach and enumerate all the internal systems compromised. So far, Prudential has found no evidence that the threat actor accessed customer or client data.

“We continue to investigate the extent of the incident, including whether the threat actor accessed any additional information or systems, to determine the impact of the incident.”

As of now, the insurance company believes the data breach will have no material impact on its operations, financial condition, or results of operations.

Implications of SEC rule for disclosure of cybersecurity incidents

The declaration of material impact follows a new SEC rule that took effect in December 2023, requiring all publicly traded companies to report material cybersecurity incidents within four days. Such incidents are likely to influence an investor’s decision to buy, sell, or hold securities, making them financially consequential.

Cybercriminals already target companies during significant financial events such as mergers and acquisitions.

According to Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems, they will now exploit the new reporting regime to extort victims by threatening to disclose cyber incidents.

“Organizations need to quickly identify what the potential impact from a breach is to determine its potential materiality to kick start the disclosure process,” Mandy said. “At the same time, the cybercriminals can and will be threatening public disclosure of the incident to extort money from the victims.”

Darren Guccione, CEO and Co-Founder at Keeper Security, said the new reporting regime will force organizations to disclose more security incidents.

“Following finalization of the new SEC reporting requirements, there will certainly be a flood of mandatory cyber incident reports to the federal commission,” Guccione said.

However, he warned that businesses could abuse the SEC rule by voluntarily filing data breaches below the reporting threshold to avoid publicly acknowledging them.

“By submitting a report to the SEC that an incident occurred, but did not have material impact on operations, Prudential may be attempting to proactively mitigate reputational damage – operating under the assumption that fewer people will read an SEC filing than a public statement. This type of voluntary disclosure is likely motivated more by public relations than regulations,” added Guccione.

The insurance company has either not identified or disclosed the attack vector exploited during the attack. Phishing is usually the most common pathway into an organization’s internal systems.

“The threat actors accessed the company network from what they described as “information technology systems,” said Craig Harber, Security Evangelist at Open Systems. “The company did not disclose whether this system was a Prudential-managed system or whether this system was third-party-managed.”

The insurance company has not disclosed whether it has received any ransom demands, and no group has threatened to leak stolen data.

Usually, cybercriminals do not publicize a security breach when ransom negotiations are in progress to avoid hurting the company and derailing the process. Similarly, politically motivated hacking groups avoid taking credit for cyber attacks or masquerade as financially motivated actors to conceal their true intentions.

The finance sector is traditionally among the top targets of cyber attacks, only dropping second behind healthcare in 2022. The Prudential security breach follows another cyber incident impacting Bank of America via one of its service providers, Infosys McCamish Systems (IMS).

Prudential itself has suffered data breaches in the past, being the victim of a third-party MOVEit hack by the Clop ransomware gang that exposed 320,000 customers. That security breach exposed customers’ names, addresses, dates of birth, phone numbers, and Social Security numbers.

“The key takeaway from this data breach is cybercrime is a complex and evolving challenge that impacts individuals, organizations, and societies globally,” Harber concluded. “Vigilance, cybersecurity measures, including incident response preparedness, and international cooperation are crucial in combating this digital menace.”