Back in February I reported that Prudential Financial got pwned. At the time I said this:
In a 8-K form filed with the SEC this week, Prudential said a “threat actor… had accessed Company administrative and user data from certain information technology systems and a small percentage of Company user accounts associated with employees and contractors.”
And I said this:
The good news is that the threat actors were detected quickly and it looks like Prudential regained control in short order. Swift detection is one of the tools in the toolbox that has to be present to make sure that threat actors cannot set up shop and start to move within a victim’s environment.
Not so fast. Now the company has revealed that over 2.5 million people had their personal information compromised. Ouch. Rogier Fischer, CEO and Co-Founder, Hadrian Security had this comment:
“Although the finer details of the attack and the damage are not yet out, the breach notification throws up several compliance issues.There was a 52-day delay in notifying consumers of the breach, which exceeds the 30-day limit mandated by many state laws such as the Maine Data Security Breach Notification Law. Additionally, while the company did not need to notify consumer reporting agencies due to the number of affected Maine residents being below 1,000, vigilance is crucial for future breaches. The automated breach testing and compliance reporting could have identified vulnerabilities, ensured policy enforcement, and facilitated quicker responses to risks, thereby preventing the breach. These systems could have also flagged the need for improved employee training to mitigate social engineering risks, as in this case.”
Emily Phelps, Director, Cyware follows with this:
“Organizations must be empowered to modernize their security operations and effectively share threat intelligence to stay ahead of these threats. Businesses must adopt proactive security strategies, leveraging AI-driven solutions to enhance their threat detection and response capabilities. By operationalizing threat intelligence, organizations can better protect themselves and their clients from future incidents. The financial sector, in particular, must prioritize these advancements to safeguard the personal information of millions.”
This incident proves that maybe everyone should wait until the full scope of any breach is revealed before making any comment. Myself included.
Like this:
Like Loading...
Related
This entry was posted on July 3, 2024 at 8:36 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
The Prudential Financial Hack Was Worse Than Previously Thought
Back in February I reported that Prudential Financial got pwned. At the time I said this:
In a 8-K form filed with the SEC this week, Prudential said a “threat actor… had accessed Company administrative and user data from certain information technology systems and a small percentage of Company user accounts associated with employees and contractors.”
And I said this:
The good news is that the threat actors were detected quickly and it looks like Prudential regained control in short order. Swift detection is one of the tools in the toolbox that has to be present to make sure that threat actors cannot set up shop and start to move within a victim’s environment.
Not so fast. Now the company has revealed that over 2.5 million people had their personal information compromised. Ouch. Rogier Fischer, CEO and Co-Founder, Hadrian Security had this comment:
“Although the finer details of the attack and the damage are not yet out, the breach notification throws up several compliance issues.There was a 52-day delay in notifying consumers of the breach, which exceeds the 30-day limit mandated by many state laws such as the Maine Data Security Breach Notification Law. Additionally, while the company did not need to notify consumer reporting agencies due to the number of affected Maine residents being below 1,000, vigilance is crucial for future breaches. The automated breach testing and compliance reporting could have identified vulnerabilities, ensured policy enforcement, and facilitated quicker responses to risks, thereby preventing the breach. These systems could have also flagged the need for improved employee training to mitigate social engineering risks, as in this case.”
Emily Phelps, Director, Cyware follows with this:
“Organizations must be empowered to modernize their security operations and effectively share threat intelligence to stay ahead of these threats. Businesses must adopt proactive security strategies, leveraging AI-driven solutions to enhance their threat detection and response capabilities. By operationalizing threat intelligence, organizations can better protect themselves and their clients from future incidents. The financial sector, in particular, must prioritize these advancements to safeguard the personal information of millions.”
This incident proves that maybe everyone should wait until the full scope of any breach is revealed before making any comment. Myself included.
Share this:
Like this:
Related
This entry was posted on July 3, 2024 at 8:36 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.