A data breach at insurance giant Prudential has ballooned far beyond initial estimates, with regulators informed that over 2.5 million individuals may have had personal information compromised. This significant update comes after Prudential downplayed the incident in March, stating only 36,545 customers were affected.
Prudential is the second largest life insurance company in the United States, with 40,000 employees worldwide and revenue of $50 billion in 2023.
Initial Claims vs. Updated Numbers
In March 2024, following a February network intrusion, Prudential reported to regulators that hackers accessed a limited dataset, including names, addresses, and driver’s license/ID numbers, for 36,545 individuals. However, updated data breach filings submitted to Maine regulators on June 30th paint a much bleaker picture. The revised figures show a staggering 2,556,210 customers potentially impacted by the data leak.
A Prudential spokesperson told The Cyber Express that the leaked information may vary for each affected individual.
“As a part of our response to the cybersecurity incident disclosed in February, Prudential worked diligently to complete a complex analysis of the affected data and notify individuals, as appropriate, on a rolling basis starting on March 29, 2024. Prudential’s notifications are substantially complete at this time. We are providing all affected individuals with 24 months of complimentary credit monitoring as an additional protection.
We take this incident and our responsibility to protect personal information extremely seriously. We have taken, and will continue to take, proactive measures to enhance our security protocols, and protect our systems and data.” – Prudential Spokesperson
While the full scope of the breach is under investigation, the significant increase in reported victims raises concerns about the initial assessment and potential notification delays.
Prudential’s Response and Next Steps
Prudential maintains they have completed a “complex analysis” of the affected data and initiated a rolling notification process starting in March. However, the vast increase in impacted individuals begs the question of whether these notifications were comprehensive and timely. The company assures it’s offering all affected individuals 24 months of complimentary credit monitoring.
ALPHV Ransomware Gang Claimed Prudential Data Breach
Prudential has yet to disclose details about the attackers behind the February data breach. However, the ALPHV/BlackCat ransomware gang took responsibility for the incident on February 13.
The gang is now shut down, but not before running an exit scam and getting a hefty ransom of $22 million from the Change Healthcare breach. The FBI tied ALPHV to over 60 breaches in its first four months, netting at least $300 million from more than 1,000 victims by September 2023.
Notably, this is not Prudential’s first major data breach. In 2023, a separate attack involving a compromised file transfer tool exposed the Social Security numbers and other sensitive data of over 320,000 customers.
Prudential’s revised data breach figures raise critical questions about incident response protocols, data forensics capabilities, and the potential impact on millions of customers. Regulatory bodies could scrutinize Prudential’s handling of the situation as the situation evolves.
*Update July 2, 5:30 p.m. ET: Added response received from Prudential’s spokesperson.
