Moveit Hack a Lesson as Digital Threats Increase
Art by Karlotta Freier
A recent data breach known as the Moveit hack has affected more than 2,000 organizations and at least 60 million people, according to the latest tracking by KonBriefing. That list will likely keep growing.
Among those hit were millions of retirement plan participants, in large part due to a breach at Pension Benefit Information, a data vendor working with numerous large recordkeepers and state-run pension systems.
In short: The hackers got access to participant data via some of the largest and most respected institutions in the industry. Lawsuits are coming, targeting not just PBI, but the firms who used it as a vendor.
What, then, is a plan fiduciary to do?
Experts have a number of suggestions that, while they may not be able to stop future breaches, will help a fiduciary be covered should they occur. Suggestions often start with following the Department of Labor’s April 2021 guidance on cybersecurity for the retirement industry, but they also include baking in a regular system of assessment when procuring and working with vendors, participating in mock data breach exercise, and being ready for audits, should they occur.
Information for Sale
In many cybersecurity cases in recent years, hackers used a method known as ransomware, in which they locked up a company’s data and demanded a ransom to release it. More recently, hackers are going straight after personal data, such as the participant information available held with Moveit, a file transfer software company owned by Progress Software Corp. Hackers then sell that information on the “dark web” in batches to criminals, says Marc Bleicher, chief technology officer at Surefire Cyber.
Bleicher says the data tends to have a “shelf life” of about three months as companies start notifying participants of the breach and providing identity theft solutions. A person’s Social Security number, he says, can “fetch $2 to $5” per account, and other personal identifiable information such as financial accounts or passport numbers can be as high as $1,000 per account.
“I would assume that any transactions for [the Moveit data] would have gone pretty quickly,” Bleicher…
