Marsh & McLennan Cos. Inc. was hit by a data breach in April involving access to Social Security numbers and other personal information of staff, former staff, clients and a range of other people linked to the brokerage.
The company sent a breach notification dated June 30, which was obtained by Business Insurance, stating that it discovered the breach on April 26 and that an “unauthorized actor had leveraged a vulnerability in a third party’s software since at least April 22.”
The breach involved a “limited set of data,” and Marsh McLennan notified law enforcement authorities and took action that ended the breach on April 30, the notification said. The company said it reset system access rights and imposed additional restrictions.
The information involved included names, Social Security numbers or other federal tax identification numbers.
Marsh McLennan said in the notification it held the data because recipients were current or former staff and their families, employees or former employees of clients, contractors, applicants, investors or people who had a relationship with a company it purchased.
The brokerage said it regretted the incident and that there was no evidence to suggest that the information had been misused. The company offered complimentary credit monitoring for two years, identity theft detection and resolution services and up to $1 million in identity theft insurance coverage.
In a statement, a Marsh McLennan spokeswoman said: “In late April, we detected unauthorized access to a limited set of data in our environment. At no point was there any disruption in our operations. We promptly investigated and remediated the issue and are in the process of notifying impacted individuals.”
She declined to comment further on the data breach.
The breach is one of several cyberattacks on high-profile insurance industry companies over the past year.
Last September, brokerage Arthur J. Gallagher & Co. was hit by a ransomware attack and in March insurer CNA Financial Corp. was hit by a ransomware attack, which it reportedly paid $40 million to resolve.