Last updated on August 10th, 2023 at 11:15 am
On Wednesday, ransomware gang Cl0p began leaking the data it stole from Pension Benefits Information (PBI). The stolen data contains personal information, including SSNs, of customers of insurance and pension companies that work with PBI. Cl0p’s publication of this data puts these customers at risk of identity theft.
So far, California Public Employees’ Retirement System (CalPERS), VALIC Retirement Services Company (VRSCO), Genworth Financial, Teachers Insurance and Annuity Association of America (TIAA) and Wilton Reassurance Co Inc are known to be affected by the attack on PBI.
Cl0p breached PBI at the end of May after the cybercriminals exploited a security flaw in file transfer software MOVEit. PBI was not alone in falling victim to the hack, as security firm Emsisoft says 590 organizations were affected as of August 5th.
Cl0p then instructed companies using MOVEit to reach out and begin negotiations. Companies who did not negotiate, or whose negotiations failed, first had their names listed on Cl0p’s leak site and, if they still did not comply, had their data published.
PBI disclosed it had been breached prior to being listed on Cl0p’s data leak site. Since then, it has been notifying individuals whose information was stolen and offering them free identity theft monitoring.
While PBI’s data breach notifications mention the MOVEit exploit, they do not explain the data was stolen by a ransomware gang or that the information would be published if PBI failed to pay the ransom. Instead, the notifications make statements such as “we have no indication of identity theft or fraud in relation to this event,” which may cause individuals to underestimate the risks they now face.
Identity theft risk
The PBI data stolen by Cl0p included customer names, addresses, genders, dates of birth, SSNs, and, in some cases, account numbers. As the data is now being leaked on the dark web, any cybercriminal who wants it will be able to access it.
Once they have that information, cybercriminals can use it to apply for loans or credit cards in a customer’s name. They can also submit fraudulent tax returns posing as the customer in an attempt to get a tax refund.
Unfortunately, recovering from identity theft takes significant money and time. According to a report by Javelin Strategy and Research, the average monetary loss per victim of identity theft in 2021 was $1,551. Some reports have also found it takes six months and two hundred hours of work to repair the damage caused by identity thieves.
How affected individuals can protect themselves
While PBI is offering identity theft protection to affected customers, at least some are only being offered single bureau credit monitoring. As there are three big credit bureaus (Equifax, Experian and TransUnion), this means the monitoring is not comprehensive.
For example, if Experian is the monitored bureau and a criminal applies for a new line of credit with a lender that pulls the victim’s credit report from Experian, the victim will receive an alert. But they will not receive an alert if the lender instead pulls their file from Equifax or TransUnion.
That’s not to say customers affected by the PBI breach should not sign up for the free service if they are interested in it. Rather, they should be aware of its limitations and consider taking further action to protect themselves.
One additional step affected individuals can take is to place a free fraud alert on their credit reports. This notice warns lenders they should verify the identity of the individual before approving a credit application in their name because of the risk of fraud.
A fraud alert can be set up by visiting the website for one of the big three credit bureaus (Equifax, Experian or TransUnion) and following the instructions. However, customers do not have to request a fraud alert at each bureau. Once the alert has been placed at one bureau, it should notify the other two as well.
An affected individual can also protect themselves by freezing their credit. This will stop lenders from pulling their credit file and so prevent them from approving fraudulent applications. However, it also means that the individual will need to unfreeze their credit temporarily if they want to apply for a new credit card, for example.
Like a fraud alert, credit freezes are free to set up. Unlike a fraud alert, however, they have to be set up at each individual credit bureau. If done online, the process is fortunately quick and easy.
To be completely thorough, an affected customer may also want to place a fraud alert on, or freeze their report at, the following places: Innovis (the fourth leading credit bureau), ChexSystems (a consumer reporting agency focused on checking and savings accounts) and the National Consumer Telecom & Utilities Exchange/NCTUE (a credit reporting agency focusing on telecommunications, TV and utilities).
Cl0p’s publication of PBI’s data puts customers of insurance and pension companies at high risk of identity theft. Customers can protect themselves by enrolling in the free monitoring service provided by PBI (though they should be aware of its limitations), placing a fraud alert on their credit reports, or freezing their credit.
Update August 8th 3:35pm: Edited to add information about Innovis, ChexSystems and NCTUE.