Vermont warns on data breach

The Vermont Department of Financial Regulation (VDFR) has announced that a large-scale data security breach has compromised the information of at least 43 companies regulated or doing business in the State.

In addition the personally identifiable information of roughly 42,000 Vermonters and over 38 million consumers nationwide has been compromised.

The breach occurred when the CLOP Ransomware Gang, a known threat actor, infiltrated the MOVEit file transfer software used by many organizations both public and private. The Department first issued a consumer alert about this breach on July 19, 2023.

As of this week, 43 companies, regulated by the VDFR or associated with a regulated entities’ data, have reported data breaches related to the MOVEit file transfer software. A full list of the affected companies is available from the VDFR.

New companies are reporting breaches weekly and this list is subject to change.

Many impacted entities were impacted through a third-party called PBI Research Services, (PBI). PBI provides third-party services to numerous insurance companies doing business in Vermont. For most companies impacted through their partnership with PBI, PBI has sent notices directly to impacted Vermonters.

In a statement the VDFR said: “If your information was compromised in the breach, you should receive a letter from PBI, or one of the entities listed above. That letter will provide additional information about the breach and detail what personal information was implicated. The letter also provides a code to sign up for identity and credit protection. For more information on the specifics of this breach, we encourage impacted consumers to reach out to PBI or one of the entities listed above.”