On July 27, 2023, VALIC Retirement Services Company (“VRSCO,” “VALIC”) filed a notice of data breach with the Attorney General of Maine after discovering that one of the company’s vendors experienced a MOVEit data breach resulting in confidential VRSCO client information being leaked. While VRSCO filed notice of the breach with the Maine AG, the attached data breach letter was from VRSCO’s vendor, Pension Benefit Information, LLC (“PBI”). This letter explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, Social Security numbers, policy or account numbers, dates of birth and addresses. Upon completing its investigation, VALIC began sending out PBI data breach notification letters to all individuals whose information was affected by the recent data security incident.

If you received a PBI data breach notification from VALIC Retirement Services Company, or from PBI directly, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the PBI / VRSCO data breach. For more information, please see our recent piece on the topic here.

What Caused the Data Breach Affecting VRSCO Customers?

The PBI / VRSCO data breach was only recently announced, and more information is expected in the near future. However, VALIC’s filing with the Attorney General of Maine provides some important information on what led up to the breach. According to this source, Corebridge Financial, Inc., VRSCO’s parent company, relies on services provided by certain third-party vendors. One of these companies is PBI, which provides research services for insurance companies, pension funds, and other organizations, including Corebridge.

PBI uses a file-transfer software called MOVEit, which was developed by Progress Software. On May 31, 2023, Progress Software announced that the MOVEit software contained a critical vulnerability. Evidently, hackers were able to exploit this vulnerability and access the MOVEit server used by PBI. Because VRSCO provided PBI with confidential information related to its clients, VRSCO client data was among the information that was compromised. According to PBI, the compromised files were accessible to an unauthorized party between May 29, 2023 and May 30, 2023.

After learning that sensitive consumer data was accessible to an unauthorized party, PBI reviewed the compromised files to determine what information was leaked and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, policy or account number, date of birth and address.

On July 27, 2023, VRSCO sent out data breach letters to anyone who was affected by the recent data security incident. These letters should provide victims with a list of which information of theirs was compromised.

More Information About VALIC Retirement Services Company

VALIC Retirement Services Company is a former subsidiary of American International Group, Inc., (“AIG”), which is now a part of Corebridge Financial, Inc.. VALIC offers a range of products, including mutual fund programs, fixed, variable & income annuities, asset management programs, life insurance, brokerage accounts, and college savings plans. VALIC is based in Houston, Texas. The company generates approximately $53 billion in annual revenue.