A Trust-Based Industry Is Being Tested
28 JULY 2023
How to Strengthen Your Organization’s Posture Against Data Exploitation and Third-Party Vulnerabilities
The Hack and Industry-Wide Consequences
This Spring, Progress Software Corporation revealed a hack of their MOVEit file transfer software. Nearly two hundred financial services organizations were sent into crisis-management after millions of their customers’ personal identifiable information (PII) and other data were hacked over the Memorial Day holiday weekend1.
The hack caused and continues to cause enormous privacy, legal and financial complications. One company alone disclosed that the breach affected 1.5 million of its customers, revealing their social security numbers. Experts reportedly believe that 3,000 deployments of MOVEit software were active when the hack occurred. The hack demonstrates just how much the retirement, insurance, and banking industries need to re-evaluate how they approach data operations.
Behind the Hack
On May 31, 2023, Progress disclosed a critical zero-day (identified, but not patched) vulnerability in their MOVEit file transfer software. The attackers reportedly exploited a zero-day SQL injection vulnerability in MOVEit’s web application. Among its many uses, the breached software is the basis of file transferring capabilities for PBI Research Service’s data verification products.
Soon after the disclosure, affected organizations kicked-off response measures. The culprits attributed with the attack are hacker group Lace Tempest and C10p Ransomware Gang2,3 which continue to exploit the data for fraud and extortion purposes. Security experts speculate that the vulnerability may have been exploited even before the May 31, 2023 disclosure of its existence.4
Wider Security Implications
Insurance and retirement professionals are anxious, frustrated, and skeptical about the ability of their third-party vendors to withstand relentless security attacks. The increasing number of successful attacks can and will result in potentially catastrophic losses for many of these companies’ customers, and for the companies themselves.
Bad actors are increasingly sophisticated. Industry professionals need to do more to continuously evaluate legacy vendors and processes to ensure that practices that may have been acceptable in the past are not ripe for exploitation today.
Securing the transfer and processing of sensitive data in a shifting environment of bad actors requires system architectures to have the least possible threat surface, diligent patching, and near-constant monitoring.
The size of the MOVEit breach demonstrates that cybersecurity must be a critical priority in today’s business landscape. The MOVEit breach could be the push the industry needs to rethink security modernization. It is now time to finally abandon the antiquated legacy vendor approaches that have left customer data exposed and vulnerable.
3 Critical Steps for Every Corporation with Confidential Data
Here are 3 steps to becoming a cybersecurity champion within your data management and vendor selection processes.
- Engage cybersecurity professionals into your processes and initiatives by making them part of your third-party vendor search early on.
- Embrace and promote adoption of correct internal data practices such as strict and modern encryption.
- Know what to ask and demand from third-party data vendors.
How Evadata LENS Technology Minimizes Security Risks
No product is invulnerable, but Evadata LENS is an example of a cloud-native data product with security designed into the technology instead of added on as a separate component. Evadata security technology features the following components:
- Evadata sets up the LENS data flows to be elusive, meaning that the data flow is never “ON” for longer than small periods of time. The IP location changes constantly.
- LENS is a cloud-native software that leverages the best available knowledge of cloud security vulnerabilities.
- All code is scanned for vulnerabilities before it is allowed to be used to service customers.
- Evadata automatically and continuously monitors for vulnerabilities and patches its systems.
- Finally, LENS’ serverless architecture allows complete dismantling of infrastructures immediately after use, leaving bad actors with less opportunity to target.
All these characteristics make it extremely difficult to find, track, or attack the system. Furthermore, the system undergoes continuous penetration testing as well as strict encryption. Customers can review Evadata’s security status in real time at .
In other words, the root causes of the MOVEit breach do not exist within Evadata LENS security. More importantly, a renewed inspection of legacy vendors and processes by cybersecurity experts will identify threats and lead to changes that will lessen the chances of a significant data breach like that which occurred with MOVEit.
- Dark Reading. C10p’s MOVEit Campaign Represents a New Era in Cyberattacks. July 5, 2023. here.
- Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability. June 1, 2023. Access here.
- CISA Cybersecurity Advisory. June 7, 2023. Access here.
- Steve King, CISM, CISSP, Canadian Cybersecurity Network. Access here.
Harness the power of Evadata LENS to maximize third-party data
Evadata is an insurtech company endorsed by leading insurance and annuities carriers, which provides modern, scalable data solutions. Tailored products position carriers with the opportunity to improve customer experience, increase efficiency, and promote growth.
Evadata LENS is a solution that offers advanced and comprehensive match technology to analyze and evaluate multiple carrier death data against organizational records. Evadata LENS is the only service positioned to provide daily data on new and open claims, ensuring operational year-round efficiencies.
Evadata LENS and the significance of death data to life insurance and annuities industries
Fundamental facets of life insurance and annuity procedures, such as premium past-due communications, unreported deaths, and dependency on beneficiaries to initiate claims require close monitoring of death data. For example, it’s vital to know which customers have passed away to initiate death benefits payments owed to a beneficiary and, in the case of annuities, prevent overpayments to deceased customers.
Cross-referencing death data with existing customer records requires a level of skillset sophistication and specialty not yet widespread in the life insurance and annuity industries. When internal data resources are earmarked for revenue-generating or transformational priorities that translate into years-long projects, proactively identifying unclaimed life insurance payouts may become secondary to the organization’s business model.
In the last few years, the number of deaths in the United States has averaged around 3 million per year — with multiple data sources relating to each death. Social Security number-privileged sources, vital state records, proprietary data sources, Death Master File, and broad coverage public sources like obituaries and funeral notices are all instrumental for tracking purposes but cumbersome to track.
Contracting with multiple data sources to receive, aggregate, parse, and match millions of deaths with customer records is challenging when performed by the life insurance or annuity organization itself. For most companies, it’s not an efficient or sustainable model.
That’s why life insurance and annuity organizations are increasingly exploring opportunities to improve death data reporting and to quantify the impact of their claims and annuity data. With Evadata LENS simplifying that process, your organization can focus its energy and resources on success.