VALIC Retirement Service reports MOVEit vulnerability related Data Breach

VALIC Retirement Services Company (VALIC) reported a data breach after discovering that one of its vendors, Pension Benefit Information, LLC (PBI), experienced a MOVEit data breach, resulting in the leakage of confidential client information.

VALIC's parent company, relies on services from various third-party vendors, including PBI, which offers research services for insurance companies and pension funds, among others.

PBI used a file-transfer software called MOVEit, developed by Progress Software. On May 31, 2023, Progress Software disclosed a critical vulnerability in the MOVEit software, which hackers exploited to gain access to PBI's MOVEit server. Since VALIC provided PBI with confidential client information, their client data was among the compromised information. The compromised files were accessible to the unauthorized party between May 29, 2023, and May 30, 2023.

The breached information varied depending on the individual and include:

• names,
• Social Security numbers,
• policy or account numbers,
• dates of birth,
• addresses.

The number of affected individuals is not disclosed.

Following the investigation, VALIC began sending out PBI data breach notification letters to all individuals whose information was affected by the security incident.