Regulators: More than 255,000 CT insurance customers affected by data breach [New Haven Register, Conn.]

Sep. 7—The fallout from a May data breach continues to hit home in Connecticut, with more than 255,000 insurance consumers in the state having their personal information exposed as a result, according to a report from insurance regulators.

The report, released to Hearst Connecticut Media by the Connecticut Department of Insurance on Wednesday, shows that customers of three dozen insurers in the state had their data exposed as result of the breach. Of the 255,367 Connecticut residents whose data was exposed, over half of them were served by three insurance companies: Genworth Financial, American General Life Insurance and Teachers Insurance and Annuity Association of America, or TIAA as it is commonly known.

Officials with Genworth and American General were not immediately available for comment on the breach or the report. A spokesman for TIAA said in a written statement that no information was obtained from its systems.

"We have not observed any related unusual activity from this event involving TIAA accounts," the statement said, in part. "We continuously monitor all individual's accounts for unusual activity through our multi-layered controls. Customer data security is a top priority, and we are taking this incident very seriously."

In terms of the total number customers with data exposed, Genworth and TIAA were among the 10 largest companies and organizations, according to an analysis by New Zealand-based anti-virus software maker Emsisoft on data breach notifications issued by different states, Securities and Exchange Commission filings, and other public disclosures. Through Wednesday, TIAA had a total of 2.6 million customers whose data was exposed and Genworth had 2.5 million.

The three dozen insurers in the state Insurance Department report join a growing list of companies doing business in Connecticut whose customers have had their data put at risk by data breaches. In the past week alone, both Eversource Energy and M&T Bank have reported breaches involving the information of Connecticut customers through a third party vendor.

Eversource officials reported that 1,400 customers in Connecticut enrolled in a solar incentive program managed by an external vendor called CLEAResult may have had personal information exposed, including Social Security numbers. And an undetermined number of M&T Bank's Connecticut customers had their names and addresses, as well as their account numbers, exposed as a result of the breach.

The data breach affecting M&T and Eversource involved the file transfer software MOVEit, which is produced by Massachusetts-based Progress Software.

The breach occurred only on the third-party platform, and M&T internal systems were not compromised, according to the statement released by the bank. It is the same data breach that affected the Eversource customers.

Progress Software has created multiple "patches" to address the vulnerability in it's MOVEit program, as is standard practice in the software industry.

Fred Scholl, director of Quinnipiac University's graduate cyber security program, said companies need to step up monitoring of activity on different computer applications.

"I think people know you can't totally prevent (data breaches), so it's all about minimizing the risk," Scholl said. "You look at what the baseline is and then look at what the deviation from that baseline is. There has to be someone within these companies keeping track of that."

___

(c)2023 the New Haven Register (New Haven, Conn.)

Visit the New Haven Register (New Haven, Conn.) at www.nhregister.com

Distributed by Tribune Content Agency, LLC.