Prudential Data Breach Impacts More than 2.5 Million People

The number of people impacted by a Prudential Financial data breach earlier this year has swelled to more than 2.5 million.

In addition, a ransomware attack on Patelco Credit Union, based in northern California, led to the shutdown of several of its customer-facing banking systems to contain the incident's impact.

Initially disclosed back in February in a regulatory filing with the U.S. Securities and Exchange Commission (SEC), the Prudential Financial incident occurred on Feb. 4 and was identified one day later. At that time, Prudential Financial said the attackers accessed systems containing company administrative and user data, as well as employee and contractor accounts.

One week later, the Alphv/BlackCat ransomware group claimed responsibility for the attack, listing Prudential Financial on its Tor-based leak site.

In an initial filing with the Maine Attorney General’s Office, Prudential Financial revealed the hackers had stolen the information of more than 36,000 individuals. In a new filing, that number has increased to more than 2.5 million people.

Prudential Financial Response

Prudential Financial sent us this statement:

“As a part of our response to the cybersecurity incident disclosed in February, Prudential worked diligently to complete a complex analysis of the affected data and notify individuals, as appropriate, on a rolling basis starting on March 29, 2024. Prudential’s notifications are substantially complete at this time. We are providing all affected individuals with 24 months of complementary credit monitoring as an additional protection. We take this incident and our responsibility to protect personal information extremely seriously. We have taken, and will continue to take, proactive measures to enhance our security protocols, and protect our systems and data.”

Nick Tausek, lead security automation architect at Swimlane, said while security teams need various tools to protect complex technology environments, disjointed tools that lack cross-communication and cloud integration are straining team bandwidth and creating security gaps.

Swimlane's Nick Tausek

“Cybercriminals are taking advantage of these gaps, leading to frequent and costly breaches,” he said. “According to a recent report from Swimlane and Omdia, 42% of financial organizations have had at least one breach with a total cost of $1 million in the last 12 months, with 20% experiencing a breach with a total cost of more than $5 million.”

(Omdia and Channel Futures share a parent company, Informa.)

It’s crucial for organizations in the financial industry to safeguard customer data and prioritize a comprehensive approach, Tausek said.

“This includes incorporating a layered security strategy that focuses on proactive measures rather than just reactive tools,” he said. “By prioritizing the detection, response and investigation of threats, organizations can gain comprehensive visibility of the entire IT environment, and increase efficiency while responding to threats. Automation can aid security teams by eliminating the need for heavy coding and breaking down silos, particularly for financial institutions where security and fraud teams often don’t collaborate."

Credit Union Ransomware Attack

According to Patelco Credit Union's latest update, it experienced a ransomware attack on June 29.

"Our priority is the safe and secure restoration of our banking systems," it said. "We continue to work alongside leading third-party cybersecurity experts in support of this effort. We have also been cooperating with regulators and law enforcement."

Dan Lattimer, vice president of Semperis, said this news comes on the heels of a breach at Evolve Bank & Trust, a financial institution popular with fintech startups.

"While the ripple effect at Patelco is likely smaller in scale than Evolve due to its regional footprint, it's a stark reminder that bad actors are increasingly targeting small, midmarket and large financial and banking institutions for the volume of sensitive financial information they process daily," he said. "Experts at the International Monetary Fund suggest that attacks on financial firms account for nearly one-fifth of all attacks, with banks being the most exposed."

Semperis' Dan Lattimer

While there's no silver bullet in cybersecurity, organizations must identify their business-critical systems and monitor them for unauthorized and anomalous changes, Lattimer said.

"Rolling out security awareness training to employees and establishing robust incident response plans are also critical," he said. "Patelco clearly had the latter in place, as it proactively shut down several of its customer-facing banking systems to assess and contain the impact of the hack."