Milliman Solutions (Milliman) has reported to the authorities that it has suffered a data breach impacting 1,280,823 people in the United States.
According to the notice uploaded on the Office of the Maine Attorney General, the data breach was caused by a service provider, Pension Benefit Information, LLC (“PBI”), who Milliman contracts to conduct research on whether customers have passed away. This collaboration is required to provide risk assessment services for life insurance companies that use Milliman’s services, and PBI receives and stores data from Milliman in this context.
Milliman says PBI informed it that hackers breached customer data it had received from the firm on May 31, 2023, after network intruders used a zero-day flaw (CVE-2023-34362) in the MOVEit Transfer software that PBI used for data exchange. This vulnerability was leveraged by the Clop ransomware gang to breach the networks of several hundreds of companies, making it potentially the most extensive cyberattack of 2023 to date.
In the aftermath of discovering the breach, PBI conducted an internal investigation to determine which of its clients had been impacted by the breach and to what extent and concluded that Millman was among them.
“PBI completed that review on June 16, 2023, and confirmed to Milliman Solutions at that time that the personal information of certain consumers of Milliman Solutions’ clients were affected, and Milliman Solutions, following reconciliation of the data, was able to recently inform its clients of the scope of individuals whose information may have been affected.”Milliman
Those who have been impacted are customers who participated in the MEMBERS Life Insurance Company (MLIC), CMFG Life Insurance Company (“CMFG”), and The Independent Order of Foresters (“Foresters”) programs. It is specified that at least full names and social security numbers (SSNs) have been compromised. Possibly, dates of birth and home address have also been exposed to the cybercriminals.
A sample of PBI’s notice of a data breach sent to Milliman customers indicates that the firm covers exposed individuals with 12 months of identity monitoring services through Kroll, enclosing enrollment instructions for the letter recipients.
Impact of PBI Breach
The breach of PBI by hackers has impacted several big insurance and healthcare providers in the United States, including Genworth Financial, Wilton Reassurance, and CalPERS. The three have reported impact sizes of 2.7 million, 1.5 million, and 0.75 million, respectively, so the total count, including Milliman’s tally, is over 6 million people.
Centralized data management points represent a significant risk due to their susceptibility to hacking, and the case of PBI highlights the consequences in the best way. Even if the company followed proper cybersecurity practices, promptly applying available security updates to its software tools, the fact that Clop ransomware exploited an unknown, zero-day flaw to gain access to its networks meant that defending against sophisticated threats is far from straightforward.