Information on third-party vendor security incident

On June 16, Corebridge Financial was made aware by one of our third-party vendors, Pension Benefit Information, LLC (PBI), that they were impacted by the MOVEit file transfer vulnerability that has affected a large number of organizations globally. On June 26, the vendor confirmed that Corebridge customer data in their possession was obtained by an unauthorized party due to the exploitation of that vulnerability.

MOVEit Transfer is a managed file transfer software solution that allows an organization to securely transfer large amounts of data efficiently between parties. In addition to PBI, many organizations, including private companies, government agencies and financial and educational institutions, were affected by this vulnerability.

PBI is a third-party vendor Corebridge utilizes for regulatory compliance and operational support services for our businesses. Like many other insurance and financial services companies, we use PBI’s services to identify otherwise unreported deceased end consumers of our products and services, so we can meet our obligations.

Along with PBI and their forensic investigators, we conducted a thorough investigation to determine the scope and nature of personal information involved. Our investigation determined that the incident impacted personal information of (1) Corebridge policyholders and account owners such as name, address, date of birth, policy/account number, and Social Security number, and (2) beneficiaries such as name, address, and date of birth.

Corebridge’s information systems and operations were not impacted, and we continue to serve our customers as we always have.

We take the privacy of our customers’ data very seriously and have taken additional measures to secure our operations and to protect our customers’ data, which includes enhanced fraud monitoring. Corebridge’s own systems and data have not been affected by the MOVEit vulnerability or PBI’s related incident, and we have successfully patched our instances of the MOVEit application in accordance with the latest best practices.

Letters are being mailed from PBI to individuals whose personal information was impacted. The letter will offer individuals 24 months of complimentary credit monitoring, fraud consultation and identity restoration services as an added measure of assurance. The notification letter will provide information on how to register for these free services and a toll-free number individuals can call with any questions.

It is always advisable to review your account statements and credit reports regularly for any unauthorized activity. You should immediately report any unusual activity to your financial institution. You can also contact the three major credit bureaus to place a “fraud alert” on your file at no cost, which alerts creditors to contact you before they open a new credit account under your Social Security number.