The New Jersey-based financial services company Prudential Financial has revealed that the February data breach affected 2.5 million individuals.
“Through the investigation, we learned that the unauthorized third party gained access to our network on February 4, 2024, and removed a small percentage of personal information from our systems,” the company said in February.
Prudential learned of the incident on February 5 and responded by initiating its internal incident response protocols, notifying relevant regulatory and law enforcement authorities, and launching an investigation.
The probe involving external cyber forensics experts determined the data breach impacted 36,000 individuals and leaked their names, driver’s license numbers, and non-driver identification card numbers.
Prudential also told the US Securities and Exchange Commission that the incident had no material impact on the company’s operations or financial position and that it did “not have any evidence that the threat actor has taken customer or client data.”
While the company did not attribute the cyber attack to any cyber gang, the ALPHV/BlackCat ransomware group claimed responsibility for the prudential financial data breach and listed the company on its data leak site.
Prudential financial services company data breach impacted 2.5 million people
The financial services company continued investigating the February 4 cyber attack to determine its full scope, leading to the recent discovery.
“As a part of our response to the cybersecurity incident disclosed in February, Prudential worked diligently to complete a complex analysis of the affected data and notify individuals, as appropriate, on a rolling basis starting on March 29, 2024,” the company said.
The investigation determined that the data breach impacted more individuals than Prudential had initially anticipated.
According to a new regulatory filing with the Maine Attorney General’s Office, the February data breach impacted 2,556,210 people, a far cry from the 36,545 previously reported.
The insurance company also revised its statement regarding the nature of information stolen which now includes names, addresses, driver’s license numbers, and identification card numbers.
The financial services company had initially disclosed that the threat actor used social engineering tactics to gain access. However, the recent filing does not specify the tactic used to gain initial access.
“While their security teams need various tools to protect complex technology environments, disjointed tools that lack cross-communication and cloud integration are straining team bandwidth and creating security gaps,” said Nick Tausek, Lead Security Automation Architect at Swimlane. “Cybercriminals are taking advantage of these gaps, leading to frequent and costly breaches. According to a recent report from Swimlane and Omdia, 42% of financial organizations have had at least one breach with a total cost of $1M in the last 12 months,…
Read More: Financial Services Company Prudential Financial Says the February Data
