A massive global cybersecurity breach compromised sensitive information of tens of thousands of consumers and businesses in Connecticut, with some of the bigger hits taken in the insurance industry.

The breach affected more than 30 insurers and 255,000 Connecticut residents, according to reports filed with the Connecticut Department of Insurance in the aftermath of what is considered the largest cybersecurity breach this year and in recent memory.

Genworth Financial, Inc. — a provider of life and long-term care insurance and annuities — was one of the largest and hardest hit by a breach among insurers in Connecticut. Richmond, Va-based Genworth told regulators 44,000 Connecticut residents had their Social Security numbers, dates of birth, first and last names, zip codes and policy numbers scooped up by hackers.

Genworth also was one of the largest companies affected by the breach with 2.5 million individuals having personal information exposed, according to cybersecurity company Emsisoft. Emsisoft has been posting a running snapshot of the breach based on public filings and other sources.

As of Aug. 30, Emsisoft reported that 1,062 organizations and 65.4 million individuals had personal information exposed in the breach.

Wake up call

When personal information is stolen, consumers run the risk of identity theft, accounts being opened in their name without their knowledge and being on the hook for big-ticket purchases like a car or home that they didn’t make.

Technology — and the internet — are so integrated in most people’s lives that the convenience it provides is nearly taken for granted, cybersecurity experts in Connecticut say. But a massive breach is a wake-up call to the dangers of the World Wide Web, they said.

“The threat is a fact of life, unfortunately,”  Arthur House, former chief cybersecurity risk officer for the state of Connecticut, said. “I don’t see an end to the threat of cyber compromise. It’s too lucrative and you get to a point with artificial intelligence thrown into it — if a human being can create it, a human being can figure out how to deconstruct it.”

‘Nobody wants to know it’s a subcontractor’

The breach, first detected at the end of May, involved the file transfer tool MOVEit that is owned by Boston-based Progress Software Corp. MOVEit is used to transfer sensitive by thousands of government agencies, public organizations and businesses to transfer often sensitive information over the internet. The state of Connecticut also uses MOVEit, but a spokesman for Gov. Ned Lamont said the state was not involved in the breach.

The breach was reportedly perpetrated by ClOp ransomware that raided MOVEit servers and stole customer data. The breach did not involve the companies themselves but third-party vendors hired by those companies who used MOVEit.

Genworth declined comment on the cyberattack, deferring to filings with its regulators. In those filings, Genworth said, it would pay for credit monitoring and noted that Genworth’s internal systems were not penetrated but their vendors. Other companies also have similarly distanced themselves in the breach.

But in the aftermath of such a large-scale cyber attack, companies — particularly those in financial services — will have the challenge of making sure customer information is secure. And that will mean whether the company holds the information or whether it is an outside vendor, said House, who now teaches a course in cybersecurity at the University of Connecticut.

House said it is not unreasonable to compare this to a aircraft manufacturer that purchases parts from outside suppliers.

“Maybe it did come from a vendor,” House said. “But ultimately, it is going on a helicopter, jet engine or submarine, you’re responsible for it. If there’s a problem on it, whether in the sea or in the air, nobody wants to know it’s a subcontractor. What they want to know is that the equipment operates as it should.”

There is growing evidence that consumers may be feeling the same way. Part of the fallout from the breach involving MOVEit is a groundswell of lawsuits seeking class-action status. Those lawsuits allege companies did not do enough to protect confidential customer information.

In 2022, an annual survey of businesses by insurance giant Travelers showed the companies are growing increasingly concerned about cyberattacks.

The survey of 1,200 small, medium and large companies across 15-plus industries found that for third time in four years, cybersecurity ranked as the top overall concern among businesses. A majority saw a future attack on their organization as inevitable.

Cyberattacks are now so common that the majority of businesses responding to a new survey not only viewed them as their top concern but a majority saw a future attack on their organization as inevitable.

Taking credit monitoring seriously

In Connecticut, the breach cut a broad swath through multiple industries, including banking and utilities.

M&T Bank confirmed that its third-party vendor had been infiltrated, but the ransomware had swiped just names, addresses and account numbers for checking, savings and money market accounts. M&T, which acquired one of Connecticut’s largest banks — People’s United Bank — last year, declined to disclose how many of its customers were affected. The Buffalo, N.Y.-based bank offered a year of free credit monitoring.

The Connecticut Department of Banking could not immediately comment on how many banks that it regulates had been affected by the cyberbreach.

Among utilities, Eversource, Connecticut’s largest electric supplier, confirmed that about 1,400 of its customers enrolled in its solar incentive program were involved, with personal information such as Social Security numbers were compromised. Separately, personal information for about 1,800 customers participating in the Electric Vehicle program also was affected, exposing account and electric usage, but not Social Security numbers.

“We take seriously the security of our customers’ information, and we continue to review the security controls of all contractors while taking appropriate protective security measures for Eversource systems to protect customers,” an Eversource spokesperson said, in a statement.

There was no estimate of the overall impact on Connecticut from the cybersecurity breach late Friday.

Cyber breaches are not uncommon, and the insurance department typically is informed about 30 or 40 annually a year, according to Kurt Swan, the department’s director of market conduct, licensing and fraud investigations.

What makes the MOVEit breach different is its sheer magnitude, rivaling in scope the 2015 Anthem Blue Cross data breach that put the personal information of up to 80 million enrolled in the health insurer’s plans, both past and present, at risk, Swan said.

Swan advises taking offers of credit monitoring seriously because it can avoid time-consuming headaches later. The insurance department requires two years of credit monitoring for companies involved in a cyber breach.

“I think we all have received many of these notices,” Swan said. “I know I have received a number of them. You just have to ensure that you follow through with that and you monitor your credit to ensure your accounts are not affected or others are not being opened up.”

Kenneth R. Gosselin can be reached at kgosselin@courant.com.