Prudential Financial disclosed that 36,545 individuals had personal information stolen in an early February breach that was claimed by ALPHV/BlackCat, the group also responsible for the Change Healthcare ransomware attack.
In a letter to consumers March 29, the large insurance company said the stolen personal data includes names, addresses, driver’s license numbers, and non-driver identification card numbers.
“As part of our response, we have worked with leading cybersecurity experts to confirm the unauthorized third-party no longer has access to our company systems,” said Prudential Financial in the letter.
The company also said it took measures to protect its systems and data, including enhancing access controls and security protocols, and implementing additional monitoring technologies and procedures. Prudential Financial said it’s also taking steps to strengthen its authentication protocols and help protect access to customer accounts.
A filing to the Maine Attorney General’s Office said the breach took place Feb. 4 and was discovered a day later. The company initially released that information in an 8-K filing to the Securities and Exchange Commission.
Organizations should take note of new SEC disclosure rules
In light of this recent disclosure by Prudential Insurance, it's crucial to reflect on the four-day incident notification process outlined in the new SEC regulations, noted Craig Jones, vice president of security operations at Ontinue. Jones pointed out that, historically, there's often a lag between breach disclosure and victim notification.
“But with the new SEC regulations aiming for timelier disclosures, we anticipate an improvement in this process,” said Jones. “However, the effectiveness will depend on companies' adherence to these regulations and their commitment to transparency. It remains to be seen whether this will significantly change the current playbook for large companies, or if we will continue to observe delayed notifications.”
Nick France, chief technology officer at Sectigo, said companies are always likely to remain wary of really rapid disclosure, given the financial impact these incidents can have, and try to delay as much as possible.
“Ultimately, I believe that the new SEC regulations should make these processes work faster," France said. "However, given the wording of the regulation, and the fact that it only came into effect at the very end of 2023, it may take some time before we see disclosures happening at the four-day pace."
Dave Gerry, chief executive officer at Bugcrowd, said the SEC has made it clear that its primary goal revolves around ensuring investors are notified of security incidents in a timely manner.
“Broader customer notification is a secondary outcome to that, and, I'd expect to see companies continue to comply with the SEC rules while also implementing their own incident response playbooks,” said Gerry.