2023-06-26 Jackson Financial Inc. Cybersecurity Incident

Page last updated on April 11, 2024

Jackson Financial Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2023-06-26 16:51:06 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2023-06-26
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2023-06-26

Jackson Financial Inc. filed an 8-K at 2023-06-26 16:51:06 EDT
Accession Number: 0001104659-23-074776

Item 8.01 Other Events.

Progress Software Corporation disclosed a zero-day vulnerability, which is a previously unknown flaw, in its MOVEit Transfer software (“MOVEit”) that could enable malicious actors to gain unauthorized access to sensitive files and information. MOVEit is now the subject of a widely reported cybersecurity event impacting numerous organizations and governmental agencies.

Jackson National Life Insurance Company (“Jackson”) determined that Jackson’s information at one of our third-party vendors, Pension Benefit Information, LLC (“PBI”), was impacted by this event. Jackson, and many other insurance carriers, use PBI to satisfy our regulatory obligations to search various databases to determine the death of certain life insurance policyholders or annuity contract holders. This service helps Jackson to identify possible beneficiaries for death benefits. According to PBI, an unknown actor exploited the MOVEit flaw to access PBI’s systems and download certain data. Our current assessment indicates that personally identifiable information relating to approximately 700,000 to 800,000 of Jackson’s customers was obtained by that unknown actor from PBI’s systems. PBI has informed Jackson that it has rectified the MOVEit vulnerability.

Separately, Jackson experienced unauthorized access to two servers as a result of the MOVEit zero-day vulnerability, however, the scope and nature of the data accessed on those servers was significantly less than the PBI impact. Notably, the unauthorized actor did not gain access to any other systems or software, there was no interruption of Jackson’s business operations, and we believe there was no impact to our financial results. Jackson, with assistance of third-party cybersecurity specialists, promptly launched an investigation into the unauthorized access, secured Jackson’s servers, patched the identified MOVEit vulnerability, and conducted a forensic analysis. Our preliminary assessment is that a subset of information relating to certain partner organizations and individuals, including certain customers of Jackson, was obtained from the two affected servers.

Jackson notified law enforcement, as well as our primary insurance regulators, and we will continue to keep them informed. Further, we are working diligently to identify all affected individuals and Jackson will ensure that appropriate notification is provided to these individuals, as well as other regulators, as soon as reasonably possible. In addition, affected individuals will receive more information about their impact and be offered credit monitoring and identity theft services.

While Jackson continues to investigate the incident, we do not believe the incident has a material adverse effect on the business, operations, or financial results of Jackson Financial Inc., our parent holding company.

Company Information