The breach was associated with the MOVEit Transfer app, which is used by thousands of organizations worldwide that were also impacted by the incident.
California’s two top public pension funds, the largest in the nation, were stuck by a massive data breach, allowing hackers to download such data as names, birthdates, and Social Security numbers.
The personal information of about 769,000 retired CalPERS members was exposed in a third-party data breach that was reported earlier this month. CalSTRS said 415,000 of its members and beneficiaries were impacted by the breach.
CalPERS, the California Public Employees’ Retirement System, is the nation’s largest public pension fund. It serves more than 2 million members in its retirement system and more than 1.5 million in its health program.
CalSTRS, the California State Teachers’ Retirement System, is the second-largest public pension fund in the United States and the largest teachers’ retirement system. It serves more than 947,000 members.
CalPERS first said in a release Wednesday that its third-party vendor, PBI Research Services, notified the agency on June 6 of a vulnerability with its MOVEit Transfer Application that has since been fixed.
PBI helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries.
CalPERS officials respond that they will offer free credit monitoring to impacted members. This is likely to be a very costly solution for the organization.
In a Q&A posted on the agency’s website, CalPERS leaders said that all affected members are eligible to receive two years of free credit monitoring and identity restoration services through Experian. CalPERS mailed letters Thursday with the agency logo and a signed message from the CEO detailing what’s available and how to enroll.
Threat analyst Brett Callow of the cybersecurity firm Emsisoft said the hackers responsible for the attack claim that hundreds of businesses, government agencies and other entities worldwide were victims in the attack.
So far, Callow said, about 100 organizations have announced they had personal data stolen. In a report last week, the U.S. Department of Health and Human Services said that millions of Americans have been affected.
“The cost of this incident will be absolutely enormous,” Callow said. “A small town in Massachusetts called Lowell recently had to offer credit monitoring to its employees. That cost a million bucks. Now, Lowell has a population of just over 100,000, so that can’t be that many city employees.”
It took two weeks to identify the extent of the problem, and it appears PBI will no longer a vendor as a result of this incident.
A member of CalSTRS spoke with FOX40 and said, “CalSTRS is working with PBI to identify the CalSTRS members whose information was involved in PBI’s incident. CalSTRS will provide notice to any members and beneficiaries whose personal information was involved in accordance with applicable law.”
Myers says CalPERS will no longer be sending additional information to the PBI research services/Berwyn group.
“The vendor had a problem which of course is our problem. We’re unhappy about that. We’ve taken these steps to make sure we don’t get into that again,” he said.
CalPERS officials spoke with FOX40, saying that the reason behind the two-week delay between confirming the breach and alerting retirees was that the agency wanted to make sure it understood the extent of the breach and had enough information to provide potential solutions for people whose information was compromised.
These public pension funds were already in for a challenging 2023.
The stock market’s plunge battered public retirement systems in 2022. The outlook for 2023 is even more grim.
With Wall Street CEOs warning of financial carnage ahead, governors overseeing some of the nation’s largest pension systems are bracing for a hit to state investment funds that have long supported benefit plans and cash-strapped budgets. The longer the decline, the harder it gets for governments to pay retirement benefits promised to millions of teachers, cops, firefighters and other workers in exchange for careers in public service.
Thanks to cyber security problems, the year promises to be even more challenging.DONATE
Donations tax deductible
to the full extent allowed by law.