Data Breach Notifications

Entity Information

  • Type of Organization: Other Commercial
  • Entity Name: Willis Towers Watson US LLC and its affiliate Acclaris, Inc.
  • Street Address: 800 North Glebe Road
  • City: Arlington
  • State, or Country if outside the US: VA
  • Zip Code: 22203

Submitted By

  • Name: Fernando Pinguelo
  • Title: Associate General Counsel, Global Privacy Office
  • Firm name (if different than entity):
  • Telephone Number: 2123093523
  • Email Address: privacy@willistowerswatson.com
  • Relationship to entity whose information was compromised: Employee

Breach Information

  • Total number of persons affected (including residents): 1,765
  • Total number of Maine residents affected: 4
  • If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified:
  • Date(s) Breach Occured: 05/29/2023
  • Date Breach Discovered: 06/22/2023
  • Description of the Breach:
    • Other, External system breach (hacking)
    • If other, please specify: Pension Benefit Information, LLC (PBI), uses the MOVEit Transfer software (MOVEit) to accept and share files from its clients, such as WTW. According to published reports, in late May, Progress Software, owner of MOVEit, had a zero-day vulnerability that was exploited by cyber criminals. According to PBI, it promptly launched an investigation, with the assistance of third-party cybersecurity specialists, to determine the potential impact of the vulnerabilities’ presence on its MOVEit Transfer servers and on the data housed on the servers. According to PBI’s investigation, threat actor exploited a zero-day SQL injection vulnerability and accessed one of PBI’s MOVEit Transfer servers between May 29 and May 30, 2023 and there were indicators of data exfiltration during the window of compromise.
  • Information Acquired - Name or other personal identifier in combination with: Social Security Number

Notification and Protection Services

  • Type of Notification: Written
  • Date(s) of consumer notification: 08/10/2023
  • Copy of notice to affected Maine residents: PBI Adult Consumer Letter 7.5.23.docx
  • Date of any previous (within 12 months) breach notifications:
  • Were identity theft protection services offered: Yes
  • If yes, please provide the duration, the provider of the service and a brief description of the service: 24 months of identity monitoring from Kroll