PBI Research Services (PBI) has suffered a data breach with three clients revealing that the data of 4.75 million people was stolen in the recent MOVEit Transfer data theft attacks.

These attacks began on May 27, 2023, when the Clop ransomware gang began exploitation of a zero-day vulnerability of MOVEit Transfer to allegedly steal data from hundreds of companies.

During the past week, the The Clop gang started extorting businesses slowly listing affected organizations on its data leak site as they attempt to pressure victims into paying a ransom demand.

According to three different PBI customer disclosures, millions of customers had their sensitive data exposed in these attacks. However, this number may increase as other companies disclose more.

The first entity affected is Genworth Financial, a Virginia-based provider of life insurance services.

In a MOVEit Security Event Notification posted on its website, Genworth says PBI notified them of the security breach on May 29, 2023 and verified on June 16 that customers’ personal data had been stolen.

The firm estimates that the data breach affected between 2.5 and 2.7 million people who are either its clients (insurance, annuity, long-term care) or work for them as insurance agents.

The exposed data includes the following:

• Full name
• Date of birth
• Social Security number
• Postal code
• State of residence
• Police number
• Agent ID (for agents)

Genworth says this attack did not impact its own systems and networks or its business operations because it does not use MOVEit or GoAnywhere products.

Affected individuals will receive data breach notifications in the coming weeks, which will include instructions for signing up for free credit monitoring and identity theft protection services.

The second company affected by the PBI breach is Wilton Reassurance, a New York-based insurance provider, which reports that 1,482,490 of its customers had their data stolen.

As reported to the Maine Attorney General’s office, the exposed information includes clients’ names and social security numbers.

Although a sample data breach notification letter has not yet been uploaded to the Maine portal, Wilton Reassurance has advised that it will provide 12 months of free identity theft protection and monitoring services credit via Kroll to the persons concerned.

The third company affected by the PBI data breach is CalPERS (California Public Employees’ Retirement System), the largest public pension fund in the United States, which is now notifying retirees and beneficiaries of the event.

In a notice on its website, CalPERS says it responded to the situation immediately upon becoming aware of the breach and took steps to secure its members’ benefits and data by strengthening its data management protocols relating to working with contractors.

The agency says approximately 769,000 of its members were affected by the security incident, all of whom will receive notification letters with detailed information on how to access two years of free credit monitoring service through Experian.

As of this writing, PBI Research Services was not listed on Clop’s data leak site. While this could mean the company is negotiating with threat actors not to release data, it could also mean that Clop has yet to begin extorting the organization.

BleepingComputer contacted PBI to comment on the situation, but we did not hear back by post.