MONTPELIER, Vt. – The Department of Financial Regulation (DFR) has been notified of a security breach that could affect more than seven thousand Vermonters. DFR provides this notice in advance of official notification from Genworth North America Corporation, on behalf of its affiliate insurance companies Genworth Life and Annuity Insurance Company, Genworth Life Insurance Company, and Genworth Life Insurance Company of New York (collectively, “Genworth”).
Currently, no indications exist of any threat of identity theft or fraud in relation to the event; however, certain personal information was exposed.
Genworth uses Pension Benefit Information, LLC, dba PBI Research Services (“PBI”), a company that provides audit and address research services for insurance companies, pension funds and other organizations. On May 29, 2023, the MOVEit file transfer software that PBI uses experienced a security event (actual occurrence May 29; end date May 30, 2023).
- June 1, 2023: U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) and others announced that Progress Software (“Progress”) released a security advisory for a vulnerability in MOVEit Transfer—a managed file transfer software.
- June 2: PBI implemented the patches provided by Progress Software, the producer of MOVEit.
- June 16: PBI advised Genworth that specific Genworth files had been compromised by the security breach. Based on the files impacted, Genworth estimates approximately 7,268 Genworth customers and one insurance agent in Vermont, where approximately 45 of those individuals are deceased, were impacted by this security event.
- According to Genworth, PBI has notified federal law enforcement regarding this security event. Genworth does not use the MOVEit software applications on any company system; this was not a breach of Genworth’s information systems.
The Breach
According to Progress’s website: SQL injection vulnerability found in the MOVEit Transfer web application could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. This vulnerability could lead to escalated privileges and potential unauthorized access to the environment.
On or around May 31, 2023, Progress Software, the provider of MOVEit Transfer software, disclosed a vulnerability in its software that had been exploited by an unauthorized third party. PBI utilizes MOVEit in the regular course of its business operations to securely transfer files. PBI promptly investigated and learned that the third party accessed one of its MOVEit Transfer servers on May 29 and 30, 2023, and downloaded people’s data.
PBI manually reviewed its records to confirm the identities of all individuals potentially affected by this event.
Remedies for Those Affected by the Security Event
On behalf of Genworth and the Companies, PBI will notify all impacted individuals; mailings are planned to start before July 31, 2023. All letters will describe what happened, the personal information that was involved, what PBI is doing, and the steps customers can take to protect themselves.
PBI is offering 24 months of credit monitoring and identity restoration services through Kroll at no cost to all impacted living individuals. Offer details and instructions will be included with each notification letter.
Additionally, PBI will provide notifications to families or personal representatives of all deceased individuals with instructions on how to protect their loved one’s information.
The Department will provide updates on the situation as needed. For further inquiries or questions about this Consumer Alert, please contact the Department of Financial Regulation by phone (802-828-3301) or email (dfr.pubinfo@vermont.gov).
_________________