(Reuters) – The number of victims of the MOVEit hack rose by several million on Thursday after the largest U.S. pension fund, Calpers, and insurer Genworth Financial said personal information about their members and clients had been compromised.
Both said a third-party vendor, PBI Research Services, suffered a data theft hack, which provided a path for the hackers to then steal data from Calpers and Genworth. PBI could not be reached for comment.
Calpers said on June 6 that PBI told them about a “vulnerability” in its MOVEit Transfer software that allowed hackers to download “our data” without specifying how many people were affected. News reports said information from more than 700,000 Calpers members and retirees was taken.
MOVEit software is widely used by organizations around the world to share sensitive data.
Genworth Financial was hit harder, saying the personal information of nearly 2.5 million to 2.7 million of its customers had been breached.
“The personal information of a significant number of policyholders or other customers of its life insurance business was unlawfully accessed,”; Genworth said.
From US government departments to Britain’s telecoms regulator and energy giant Shell, a string of victims have emerged since Burlington, Massachusetts-based Progress Software discovered the security flaw in its MOVEit Transfer product last month.
The insurer said it is working to ensure “protective services” are provided to the affected individuals, according to a regulatory filing.
Data pulled from Calpers included members’ first and last names, dates of birth and social security numbers. It serves more than two million members in its pension scheme.
The MOVEit hack has affected several state and federal agencies. Last week, the US Department of Energy received ransom demands from the Russia-linked extortion group Clop at both its nuclear waste facility and scientific training facility that were recently hit by a global hacking campaign.
Data was compromised at the two DOE entities after hackers breached their systems through a security flaw in MOVEit Transfer.
The widespread impact of the hack shows how even the most security-minded federal agencies struggle to defend against ransomware attacks. Ransomware gangs usually look for such widely used tools.