What happened?
F&G was informed by its third-party vendor, PBI, of a recent IT security incident involving PBI’s instance of the MOVEit transfer system. Based on information provided by PBI, the estimated date of compromise was between May 29, 2023 and May 30, 2023. PBI has reported the matter to federal law enforcement and has advised F&G that it has remediated the vulnerability.
On June 20, 2023, PBI advised F&G that it had confirmed through an analysis of relevant log data that specific files containing F&G policyholder information were compromised due as a result of this security incident.
We understand numerous organizations around the world, including Fortune 500 companies, governmental agencies, and non-government organizations, were impacted by this vulnerability.
F&G can confirm that none of its information systems or business operations were impacted as a result of the incident involving PBI.
Who is PBI? How does F&G work with PBI?
PBI is a third-party vendor that F&G uses to satisfy certain regulatory obligations by ensuring accuracy in payments to retirees and beneficiaries.
What is MOVEit?
MOVEit Transfer is a secure email and file transfer platform used by numerous organizations worldwide to transfer data. The provider of the MOVEit Transfer platform, Progress Software, announced a zero-day vulnerability associated with MOVEit on May 31, 2023.
What personal information was involved?
F&G understands that the impacted information includes certain personal information related to our clients, such as social security number and date of birth.
The specific impacted data for each policyholder is confirmed in the written communication from PBI.
Were any F&G systems impacted?
F&G can confirm that none of its information systems or business operations were impacted as a result of the incident involving PBI.
Who was impacted?
While our investigation is ongoing, we assume that each F&G customer associated with an active F&G annuity or life policy as of March 1, 2023 was impacted by this incident and as of February 15, 2023 for our Pension Risk Transfer (“PRT”) group annuity certificate holders.
PBI sent written letters to impacted individuals notifying them of the incident and offering credit monitoring services and identity theft restoration, as well as instructions on how access those resources.
What is F&G doing to ensure this does not happen again?
We understand that this incident was the result of a zero-day vulnerability in the MOVEit platform. This vulnerability allowed an unauthorized third party to access the MOVEit platform and exfiltrate data. The incident did not impact F&G’s systems. Nevertheless, we are continuing to assess what additional measures we and our vendors can take to further strengthen the security of our IT environment.
We remain committed and focused on continuing to serve our customers.
The MOVEIt issue affected thousands of organizations and vendors. Are you certain that PBI was your only vendor affected by this?
F&G is working with our third-party vendors to identify whether any other vendors use MOVEit and were affected by the vulnerability. Through that process, it was determined that another F&G vendor that performs services related to public shareholders, Continental Stock Transfer & Trust Co. (“Continental”), was advised by Sovos Compliance, LLC (“Sovos”), a vendor utilized by Continental in connection with unclaimed property compliance matter, that Sovos also was affected by the MOVEit incident. F&G has been advised that 3 shareholders were impacted and have received a notification regarding the incident.
How do I activate the credit monitoring service?
PBI has partnered with Kroll, a risk mitigation and response team, to assist customers directly. Given the widespread nature of the event at PBI hold times could be extensive.
We encourage customers to visit the online portal to activate the credit monitoring service. Speaking directly to Kroll is not required to activate the service.
What information is included in the letter from PBI?
Included in the letter from PBI will be instructions on how to activate the credit monitoring service. A member code will be included in your letter to complete the registration process.
The process is self-service through the provided website. You do not need to call Kroll to activate the monitoring.
Is F&G issuing new policy numbers?
As explained above, none of F&G’s information systems were compromised as a result of the incident involving PBI and remain secure. F&G is not issuing new policy numbers.
How do I register for the credit monitoring service?
Included in the letter from PBI will be instructions on how to activate the credit monitoring service. A member code will be included in your letter to complete the registration process.
The process is self-service through the provided website. You do not need to call Kroll to activate the monitoring.
To Our Policyholders
I have a policy/contract with F&G. Was my personal information accessed?
Any policyholder who was directly affected by the MOVEit incident will receive a written letter from PBI in early August.
While our investigation is ongoing, we assume that each F&G customer associated with an active F&G annuity or life policy as of March 1, 2023 was impacted by this incident.
Will this impact my benefits?
No. F&G systems were not impacted by the MOVEit incident. Your current payments will continue to be deposited to your bank account or mailed to you if you have chosen to receive a paper check.
What can I do now?
We recommend that you remain vigilant to threats of identity theft or fraud by regularly reviewing and monitoring your accounts and credit history for signs of unauthorized transactions or activity.
We are working with PBI to provide notice to impacted individuals and the opportunity to enroll in credit monitoring services and identity theft restoration. To prevent misuse of your information, the Federal Trade Commission advises consumers to place a credit freeze or fraud alerts with the three credit bureaus – Equifax, Experian, and TransUnion. To learn more on the Federal Trade Commission advice for consumers, visit their site here.
Additionally, while there is no indication that F&G systems were impacted, if you use the F&G Policyholder Portal or the F&G PRT Portal, it is always a best practice to frequently change passwords to add an extra level of security on your account.
F&G remains able, committed, and focused on continuing to serve our customers.
To Our Financial & Insurance Professionals
My client’s information was exposed. What happens now?
PBI sent written letters to impacted individuals notifying them of the incident and offering credit monitoring services and identity theft restoration, as well as instructions on how access those resources.
Can you tell me which of my clients’ information was exposed so I can reach out to them?
While our investigation is ongoing, we assume that each F&G customer associated with an active F&G annuity or life policy as of March 1, 2023 was impacted by this incident.
PBI sent written letters to impacted individuals notifying them of the incident and offering credit monitoring services and identity theft restoration, as well as instructions on how access those resources.
To our Pension Risk Transfer Clients and Brokers
My or my client’s former pension plan participants’ information was exposed. What happens now?
PBI sent written letters to impacted individuals notifying them of the incident and offering credit monitoring services and identity theft restoration, as well as instructions on how access those resources.
Can you tell me which of my or my clients’ former pension plan participants’ information was exposed so I can reach out to them?
While our investigation is ongoing, we assume that each F&G customer associated with an active group annuity certificate holder as of February 15, 2023 was impacted.
PBI sent written letters to impacted individuals notifying them of the incident and offering credit monitoring services and identity theft restoration, as well as instructions on how access those resources.
Updated: August 29, 2023