The fallout from a global hacking incident tied to Russian cybercriminals widened on Thursday as US insurance provider Genworth Financial revealed that 2.5 million of its policyholders and customers had their data accessed in the hack, while California's public pension fund said 769,000 of its members were affected.
The news comes as consulting giants PwC and Ernst & Young said they were investigating their exposure to the hack, one of the more far-reaching data breaches in years involving a single piece of software.
Hackers accessed Social Security numbers and other customer information, Genworth Financial said in a regulatory filing.
While the company said it's continuing to "measure the impact" of the breach, it "does not currently believe this incident will have a material adverse effect on its business, operations, or financial results."
The California Public Employees' Retirement System said in a separate public statement that more than three-quarters of a million of its members had their Social Security numbers accessed.
Meanwhile, millions of people in Louisiana and Oregon have also had Social Security numbers or other personal data compromised in the incident, the motor vehicle departments of those states said last week.
Those victim organizations did not identify the Russian cybercriminals as responsible for the hack, but said they were hacked via popular file-transfer software called MOVEit. Federal officials have blamed a broader hacking campaign exploiting the software on a Russian group known as CLOP.
The sprawling breach is causing mounting legal and security headaches for the organizations that own that data. Companies that have had their data stolen have to choose between paying off unscrupulous cybercriminals and having their sensitive client information dumped online by the hackers if they don't pay.
There haven't been reports of widespread identity theft tied to the data theft, but organizations whose data was stolen are preemptively offering credit monitoring to customers.
The saga began in late May when CLOP allegedly exploited a previously unknown vulnerability in file-transfer software known as MOVEit used by thousands of corporations and government agencies around the world. It set off a scramble by government officials and private experts to kick the hackers out of networks and limit the amount of ransoms paid — money that experts say could fuel future ransomware attacks.
PwC said in a statement to CNN on Thursday that a "small number of clients" had files impacted by the hack, while Ernst & Young said "the vast majority" of the firm's systems that use the affected software "were not compromised."
The hackers also accessed data belonging to multiple federal agencies, CNN first reported last week, including the Department of Energy and the Department of Agriculture.
While no federal agencies have reported ransom demands, the hackers have been known to demand tens of millions of dollars in ransom for data stolen or encrypted from corporate victims.
Of the corporate and non-government victims in the US, "very few" have paid a ransom, Eric Goldstein, a senior Cybersecurity and Infrastructure Security Agency official, told CNN on Wednesday.
Still, some victims have paid the hackers, according to Charles Carmakal, chief technology officer at Mandiant Consulting, a Google-owned firm hired by some victims to respond to the hacking. He declined to specify the number of victims he is aware of who have paid the ransom, or the amounts they've paid.
"Some organizations will pay over time" as the pressure to protect customer data grows, Carmakal predicted.
"Organizations should assess the value of the stolen data and the potential harm that can come out of it being publicly exposed," Carmakal told CNN.
Progress Software, the US firm that makes the MOVEit software, has already been hit with a class-action lawsuit for allegedly failing to safeguard customer data. But the company has maintained that it promptly investigated the vulnerability, issued a security fix and offered customers' guidance on protecting themselves.
