As the leading provider of proactive death audit and locate services, PBI Research Services (PBI) partners with pensions plans, insurance companies, and other organizations to improve the accuracy of their data. PBI solutions have helped plans uncover over $1 billion in overpayments, releasing billions in unnecessary funding liability, meeting regulatory obligations, and helping ensure participants, policyholders, and beneficiaries receive what they’ve earned and deserve.

What happened?

In late May 2023, the federal government, state governments, universities, health care organizations, and corporations in the United States and around the world were impacted by a cyberattack to MOVEit, a managed file transfer (MFT) software tool used by thousands of organizations globally to securely transfer data files between locations, servers, and organizations.

Progress Software, owner of the MOVEit file transfer software, had a zero-day vulnerability that was exploited by cyber criminals. A zero-day event indicates it was a previously unknown vulnerability. According to reports, the cyber criminals accessed personal information of potentially millions of people.

PBI, like many companies, uses the MOVEit Transfer software to accept and share files. While PBI was impacted, the cyber criminals did not gain access to PBI’s core systems or software. The cyber criminals only gained access to a remote server via the MOVEit administrative portal.

PBI’s response.

After learning of the MOVEit event, PBI quickly assembled a team of industry specialists and immediately began reaching out to clients who were potentially impacted. Progress Software made patches available on June 2nd. That same day PBI completed Progress’s recommended patching and remediation steps. PBI notified federal law enforcement on June 3, 2023.

To assist with our comprehensive incident response, PBI promptly engaged leading cybersecurity and digital forensics specialists, Kroll, to conduct a forensic investigation into the event to determine the nature and scope of the vulnerability’s impact on our systems.

Communicating to impacted participants is an important part of the process. PBI is partnering with its clients to explain to participants what happened, steps that were taken, and services available to them. As part of the incident response process, PBI and its clients are offering free credit monitoring to potentially impacted individuals. To facilitate timely communication, PBI retained Kroll to manage communication to potentially impacted participants. Some of PBI’s impacted clients have chosen to manage participant communications to their impacted customers.

Security has always been our priority.

Although the cyber criminals did not gain access to PBI’s internal systems or software, PBI remains committed to consistently adhering to rigorous security standards. Before the event, we had a formalized security program that followed industry-recognized security frameworks including an annual SSAE 18 SOC Type II (SOC 2) audit.

If PBI is SOC 2 audited, how did this happen?

Even with the strictest controls, no organization is impervious to cyberattacks. Plus, it’s important to reiterate the event did not penetrate PBI’s internal systems.

What’s an SOC 2 audit?

SOC 2 is a technology focused audit, and it provides detailed information about an organization’s controls. SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data.

SOC 2 security audits provide evidence to a broad range of stakeholders, such as customers, partners, and regulators, that the organization has implemented appropriate controls to protect its systems and data.

What’s next.

PBI was not directly targeted by these cyber criminals. PBI has security controls to patch known vulnerabilities as they are identified. Zero-day attacks are by their nature attacks for which there is initially no defense until the vendor has become aware and provides patches or emergency recommendations. PBI had applied all available patches to the MOVEit system when this vulnerability was announced.

The MOVEit event was an anomaly that impacted hundreds of organizations worldwide. It was the first data event for PBI in its 40-year history. Data security is a top priority, and we always strive to do what’s best for customers, participants, beneficiaries and policyholders.