Anyone who received a data breach notice letter from PBI on behalf of Corebridge Financial or otherwise believes their personal information may have been exposed in a cyberattack affecting the insurance and retirement plan provider.
What’s Going On?
Corebridge recently announced that a data breach targeting a widely used file transfer platform, MOVEit, has reportedly compromised files containing personal information belonging to an estimated 798,000 policyholders, account owners and beneficiaries. Attorneys working with ClassAction.org are now looking into whether a class action lawsuit can be filed on behalf of victims.
How Could a Lawsuit Help?
A class action lawsuit could potentially help impacted individuals get money back for any damages they’ve experienced as a result of the data breach. It could also force Corebridge Financial and its third-party vendors to improve their data security practices.
Attorneys working with ClassAction.org want to hear from anyone whose data may have been compromised in a May 2023 data breach that impacted Corebridge Financial (formerly AIG Retirement Services) and the following subsidiaries:
American General Life Insurance Company
The United States Life Insurance Company in the City of New York
The Variable Annuity Life Insurance Company (VALIC)
VALIC Retirement Services Company
Specifically, they’re investigating whether a class action lawsuit can be filed against Corebridge Financial and others over a recent cyberattack involving MOVEit, a file transfer service used by PBI Research Services (PBI), a third-party vendor Corebridge partners with.
In letters to the attorneys general of several states, Corebridge revealed that files accessed by cybercriminals during the data breach contained personal information belonging to life insurance and retirement plan policyholders and account owners, including their Social Security numbers, names, dates of birth, addresses and policy/account numbers. The data breach may have also exposed beneficiaries’ names, addresses and dates of birth.
The attorneys have reason to believe that Corebridge Financial and its third-party partners may have failed to implement appropriate safeguards to keep customer information confidential. They’re now looking into a class action lawsuit to hold the companies accountable and help compensate victims for any harm they’ve suffered, such as identity theft or fraud.
Corebridge Financial Data Breach: Why Did I Get a Letter?
Corebridge Financial, one of the largest providers of insurance and retirement plans in the U.S., notified the attorneys general of several states around July 27 that the MOVEit file transfer system security event experienced by PBI had impacted approximately 798,000 of its policyholders, account owners and beneficiaries.
In a letter to the Iowa attorney general, Corebridge said PBI would be notifying affected individuals on its behalf and planned to begin mailing data breach letters by the end of July. The letter will provide instructions on how victims can access credit monitoring services and identity theft protection, the company says.
According to a proposed class action filed against the operators of MOVEit, Ipswitch and Progress Software Corporation, the “massive” cyberattack has impacted “several hundred” companies and federal and state agencies that use the platform to share sensitive data.
The actor reportedly responsible for the breach, a ransomware group called Clop, first gained access to the MOVEit transfer servers on May 27 after exploiting a vulnerability in the platform’s software, BankInfoSecurity.com reports. DataEconomy.com says that in mid-June, the Russian-linked hacker group began listing impacted organizations on its dark web leak site and threatening to post batches of data if they failed to meet its ransom demands.
As of June 23, PBI has not been listed on Clop’s website, BleepingComputer.com reports. “While this could mean that the company is negotiating with the threat actors not to release data, it could also mean that Clop has not begun extorting the organization yet,” the cybersecurity news site says.
How Could a Lawsuit Help Data Breach Victims?
If successful, a lawsuit could provide compensation for:
The cost of obtaining credit reports and additional credit monitoring and identity theft protection services
Loss of time spent dealing with the effects of the breach
Loss of privacy
Damage to credit
A lawsuit could also force Corebridge Financial and its vendors to implement stronger data security practices to protect customer information from future attacks.