Prudential Financial revealed that 36,545 people had personal information stolen in an early February breach claimed by ALPHV/Black Catthe group also responsible for the Change Healthcare ransomware attack.
In a letter to consumers on March 29, the major insurance company said the stolen personal data includes names, addresses, driver’s license numbers and non-driver identification card numbers.
“As part of our response, we have worked with leading cybersecurity experts to confirm that the unauthorized third party no longer has access to our company’s systems,” Prudential Financial said in the letter.
The company also said it has taken steps to protect its systems and data, including improving access controls and security protocols, and implementing additional monitoring technologies and procedures. Prudential Financial said it is also taking steps to strengthen its authentication protocols and help protect access to customer accounts.
A filing with the Maine Attorney General’s Office declared that the violation took place February 4 and was discovered a day later. The company initially released this information in a 8-K Filing to the Securities and Exchange Commission.
Organizations should take note of the SEC’s new disclosure rules
In light of this recent disclosure by Prudential Insurance, it is crucial to think about the four-day incident notification process outlined in the new SEC regulations, noted Craig Jones, vice president of security operations at Ontinue. Jones pointed out that, historically, there is often a lag between disclosing a breach and notifying the victim.
“But with the new SEC Regulations By aiming for faster disclosures, we expect this process to improve,” Jones said. “However, effectiveness will depend on companies’ compliance with these regulations and commitment to transparency. It remains to be seen whether this will significantly change the current strategy of large companies or whether we will continue to see delays in notifications.”
Nick France, chief technology officer at Sectigo, said companies will likely always remain cautious about very rapid disclosure, given the financial impact such incidents can have, and will try to delay as much as possible.
“Ultimately, I think the new SEC regulations should make these processes work faster,” France said. “However, given the wording of the regulations and the fact that they only came into force at the very end of 2023, it could be some time before we see revelations occurring at the rate of four days.”
Dave Gerry, chief executive of Bugcrowd, said the SEC has made it clear that its primary goal is to ensure that investors are informed about security incidents in a timely manner.
“Broader customer notification is a secondary outcome and I would expect to see companies continue to comply with SEC rules while implementing their own incident response manuals,” Gerry said.