Chattanooga-based insurer Unum reveals data breach

Staff Photo by Matt Hamilton / Unum's downtown Chattanooga headquarters is shown April 12.
Staff Photo by Matt Hamilton / Unum's downtown Chattanooga headquarters is shown April 12.

Unum Group and its subsidiaries, including Starmount Life Insurance Co., on Thursday provided notice about a security incident that may have involved certain personal information about some of its customers, primarily related to its U.S. dental and vision businesses.

The data that may have been accessed varies by individual and includes name, date of birth, address, Social Security number or individual tax identification number, medical, health insurance claim and policy information, the Chattanooga-based company said in a release. Financial information and other government-issued identification numbers were involved for a limited number of individuals, the release said.

The insurer said the incident involved Moveit Transfer, a file transfer application made available by Progress Software Corp. that Unum and many other organizations in the U.S. and globally used to handle certain data transfers.

According to Unum, a U.S. government advisory last month said there has been widespread exploitation of a security vulnerability in Moveit Transfer, which has reportedly affected hundreds of organizations.

On June 1, Unum detected suspicious activity involving an instance of its Moveit Transfer application, the company said, and it promptly launched an investigation with the assistance of third-party cybersecurity experts.

Unum took several steps to respond, including taking Moveit Transfer offline; implementing vendor-recommended actions, including application of patches as Progress made them available; notifying law enforcement; and monitoring publicly available information regarding this vulnerability, the release said.

On June 4, the investigation identified evidence that between May 31 and June 1, an unauthorized party had exploited the Moveit security vulnerability to copy a subset of data. Beginning July 22, Unum was able to ascertain the nature of the personal information that was affected, the company said.

According to Unum, individuals identified as affected will receive notice where a valid mailing address is available. The notice will include specific information about how to enroll in free credit monitoring and identity protection services. The company said affected individuals are advised to remain vigilant by reviewing their account statements and monitoring their free credit reports for signs of suspicious activity.

The company said Unum takes its responsibility to safeguard personal information seriously and continues to enhance its security controls to protect from cyber threats.

Individuals with questions can visit, Unum said.

— Compiled by Mike Pare