The company, PBI, has begun notifying users affected by a data breach that occurred due to the exploitation of a zero-day bug in MOVEit Transfer software. Attackers accessed one of PBI’s servers and exfiltrated certain data, potentially compromising names, partial mailing addresses, Social Security numbers, and dates of birth of over 370,000 individuals.
PBI, known as the largest obituary database in the US, is offering credit monitoring and identity restoration services for two years to affected individuals.
The breach also impacted other companies that used PBI as a third-party vendor, including Wilton Re, which reported the exposure of personal details for nearly 1.5 million people.
CalPERS, the largest public pension fund in the US, stated that around 769,000 individuals who were receiving ongoing monthly benefit payments could have had their name, date of birth, and Social Security Number exposed in the breach.
The cybercriminal group known as Cl0p, which has claimed responsibility for the exploit, has targeted over 200 organizations, resulting in more than 17 million exposed individuals.
Operating under the Ransomware-as-a-Service model, Cl0p employs the “double-extortion” technique by stealing and encrypting victim data, refusing to restore access unless a ransom is paid, and publishing the stolen data on their dark web leak site. The extent of the exposed data depends on how each company utilizes the file transfer system.
