In February 2024, Prudential Financial reported it had fallen victim to a ransomware attack. The attack was discovered one day after it started, but not before some 2.5 million people had been impacted by the resulting data breach.

As one of the largest insurance companies in the US, Prudential employs 40,000 people worldwide and reported revenues of over $50 billion in 2023.

At first, Prudential said it believed only 36,000 people had had their data stolen, but that number has now been revised to 2.5 million in a new breach notification. The company has also adjusted what information has stolen. In the original notification the company stated:

“On the basis of the investigation to date, we do not have any evidence that the threat actor has taken customer or client data.”

However, Prudential is now saying the stolen data also impacted many customers and included:

• Full names
• Driving license numbers
• Non-driving license identification cards

The data breach notification states that the company will be giving affected customers 24 months of identity theft and credit monitoring services through Kroll.

Below are some general tips on what to do after you’ve fallen victim to a data breach.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A data breach at insurance giant Prudential has ballooned far beyond initial estimates, with regulators informed that over 2.5 million individuals may have had personal information compromised. This significant update comes after Prudential downplayed the incident in March, stating only 36,545 customers were affected. Prudential is the second largest life insurance company in the United States, with 40,000 employees worldwide and revenue of $50 billion in 2023.

Initial Claims vs. Updated Numbers

In March 2024, following a February network intrusion, Prudential reported to regulators that hackers accessed a limited dataset, including names, addresses, and driver's license/ID numbers, for 36,545 individuals. However, updated data breach filings submitted to Maine regulators on June 30th paint a much bleaker picture. The revised figures show a staggering 2,556,210 customers potentially impacted by the data leak.

A Prudential spokesperson clarified that the leaked information may vary for each affected individual. While the full scope of the breach is under investigation, the significant increase in reported victims raises concerns about the initial assessment and potential notification delays.

Prudential's Response and Next Steps

Prudential maintains they have completed a "complex analysis" of the affected data and initiated a rolling notification process starting in March. However, the vast increase in impacted individuals begs the question of whether these notifications were comprehensive and timely. The company assures it's offering all affected individuals 24 months of complimentary credit monitoring.

ALPHV Ransomware Gang Claimed Prudential Data Breach

Prudential has yet to disclose details about the attackers behind the February data breach. However, the ALPHV/BlackCat ransomware gang took responsibility for the incident on February 13. The gang is now shut down, but not before running an exit scam and getting a hefty ransom of $22 million from the Change Healthcare breach. The FBI tied ALPHV to over 60 breaches in its first four months, netting at least $300 million from more than 1,000 victims by September 2023.

Notably, this is not Prudential's first major data breach. In 2023, a separate attack involving a compromised file transfer tool exposed the Social Security numbers and other sensitive data of over 320,000 customers.

Prudential's revised data breach figures raise critical questions about incident response protocols, data forensics capabilities, and the potential impact on millions of customers. Regulatory bodies could scrutinize Prudential's handling of the situation as the situation evolves.