2023-06-26 Corebridge Financial, Inc. Cybersecurity Incident

Page last updated on April 11, 2024

Corebridge Financial, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-06-26 17:01:06 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-06-16
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-06-26

Corebridge Financial, Inc. filed an 8-K at 2023-06-26 17:01:06 EDT
Accession Number: 0001628280-23-023475

Item 8.01 Other Events.

On June 16, 2023, Corebridge Financial, Inc. (“Corebridge” or the “Company”) was notified by one of its third-party vendors (“Vendor”) that data specific to Corebridge customers had been compromised in a security incident that the Vendor experienced targeting a zero-day vulnerability (the “Vendor Incident”) in the Vendor’s instance of the MOVEit Transfer Application (“MOVEit”). MOVEit is a managed file transfer software developed and maintained by Progress Software Corporation and used by thousands of organizations. The Company uses Vendor for certain regulatory compliance and operational support services.

As a result of this Vendor Incident, an unauthorized party obtained personal information in the Vendor’s possession about a significant number of the Company’s customers, including in some instances social security numbers and policy number. The Company will ensure that appropriate notifications are provided to impacted individuals and to regulatory agencies as required by federal and state law. Impacted individuals will be offered complimentary credit monitoring and identity restoration services, which will be described in the notifications.

Upon receiving notification of the Vendor Incident, the Company, together with the Vendor, promptly launched an investigation to determine the scope and nature of any Corebridge customer data that may have been impacted. While that investigation is still ongoing, there is no indication that the Vendor Incident has had any impact on any of the Company’s information systems, Corebridge’s own MOVEit environment was not affected, and there has been no material interruption to the Company’s business operations. While the Company is continuing to measure the impact of the Vendor Incident, including certain remediation expenses and other potential liabilities, the Company does not currently believe the Vendor Incident will have a material adverse effect on its business, operations, or financial results.

Additional information can be found at www.corebridgefinancial.com/vendor-incident.

Company Information