Image 01 Image 03

Massive Data Breach Hits California Public Pension Funds, CalPERS and CalSTRS

Massive Data Breach Hits California Public Pension Funds, CalPERS and CalSTRS

The breach was associated with the MOVEit Transfer app, which is used by thousands of organizations worldwide that were also impacted by the incident.

California’s two top public pension funds, the largest in the nation, were stuck by a massive data breach, allowing hackers to download such data as names, birthdates, and Social Security numbers.

The personal information of about 769,000 retired CalPERS members was exposed in a third-party data breach that was reported earlier this month. CalSTRS said 415,000 of its members and beneficiaries were impacted by the breach.

CalPERS, the California Public Employees’ Retirement System, is the nation’s largest public pension fund. It serves more than 2 million members in its retirement system and more than 1.5 million in its health program.

CalSTRS, the California State Teachers’ Retirement System, is the second-largest public pension fund in the United States and the largest teachers’ retirement system. It serves more than 947,000 members.

CalPERS first said in a release Wednesday that its third-party vendor, PBI Research Services, notified the agency on June 6 of a vulnerability with its MOVEit Transfer Application that has since been fixed.

PBI helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries.

CalPERS officials respond that they will offer free credit monitoring to impacted members. This is likely to be a very costly solution for the organization.

In a Q&A posted on the agency’s website, CalPERS leaders said that all affected members are eligible to receive two years of free credit monitoring and identity restoration services through Experian. CalPERS mailed letters Thursday with the agency logo and a signed message from the CEO detailing what’s available and how to enroll.

Threat analyst Brett Callow of the cybersecurity firm Emsisoft said the hackers responsible for the attack claim that hundreds of businesses, government agencies and other entities worldwide were victims in the attack.

So far, Callow said, about 100 organizations have announced they had personal data stolen. In a report last week, the U.S. Department of Health and Human Services said that millions of Americans have been affected.

“The cost of this incident will be absolutely enormous,” Callow said. “A small town in Massachusetts called Lowell recently had to offer credit monitoring to its employees. That cost a million bucks. Now, Lowell has a population of just over 100,000, so that can’t be that many city employees.”

It took two weeks to identify the extent of the problem, and it appears PBI will no longer a vendor as a result of this incident.

A member of CalSTRS spoke with FOX40 and said, “CalSTRS is working with PBI to identify the CalSTRS members whose information was involved in PBI’s incident. CalSTRS will provide notice to any members and beneficiaries whose personal information was involved in accordance with applicable law.”

Myers says CalPERS will no longer be sending additional information to the PBI research services/Berwyn group.

“The vendor had a problem which of course is our problem. We’re unhappy about that. We’ve taken these steps to make sure we don’t get into that again,” he said.

CalPERS officials spoke with FOX40, saying that the reason behind the two-week delay between confirming the breach and alerting retirees was that the agency wanted to make sure it understood the extent of the breach and had enough information to provide potential solutions for people whose information was compromised.

These public pension funds were already in for a challenging 2023.

The stock market’s plunge battered public retirement systems in 2022. The outlook for 2023 is even more grim.

With Wall Street CEOs warning of financial carnage ahead, governors overseeing some of the nation’s largest pension systems are bracing for a hit to state investment funds that have long supported benefit plans and cash-strapped budgets. The longer the decline, the harder it gets for governments to pay retirement benefits promised to millions of teachers, cops, firefighters and other workers in exchange for careers in public service.

Thanks to cyber security problems, the year promises to be even more challenging.


Donations tax deductible
to the full extent allowed by law.


The real problem is public employees earning 6 figures and retiring early pretty wealthy, at public expense. What a benefit to this country if public unions were banned.

    wendybar in reply to Concise. | June 29, 2023 at 9:37 am

    Not to mention, great benefits for life!!

      B Buchanan in reply to wendybar. | June 29, 2023 at 12:11 pm

      Why Cali’s retirement obligations are so great: private retirement vs public retirement, real figures from personal experience. These figures are from more than a decade ago but you will get the idea.

      We had a friend, a year younger than my late husband, who retired in his 50’s from the San Jose Police dept. His retirement was 90% of his last year of income, $212,000, with a 3% increase every year, plus the large cash payout of accumulated sick leave and vacation, no limit on payout.. Generous health insurance. (This is all from public record – he was featured in a newspaper article.)

      About the same time my late husband retired early from IBM due to health. Income was around $200,000/yr (bounced around a little.) Retirement (he was in one of the last groups at IBM who had a pension) was 50% of BASE pay, ($144,000), so $72,000. (The rest of his pay was made up from “bonuses”, which was why there would be a slight variation from year to year.) There is no increase to his pension, ever. Cash out of vacation and sick leave was limited to 2 weeks. Retirement benefits are respectable but not generous. (No complaints here.)

      All current IBM employees (and anyone else in the high tech industry) pretty much only get 401K’s for their retirement now, no pensions. All the civil servants I know, including 4 of my 5 children who are employed by state, county or city governments, have pensions. My two kids employed in the state of CA have the best pensions of anyone. (The outlier, my son the attorney, is saving for himself.)

      You see the difference.

As long as the California state government is still solvent, they should cover the loss of any state employee pensions. They should have to wait their turn in line, of course, and get paid right after all illegal aliens are taken care of and reparations are given to descendents of slaves.

not_a_lawyer | June 28, 2023 at 7:49 pm

I have repeatedly stated that public employees should not get pensions. They should get 401(k) like the rest of us plebes.

The threat of losing their pension can lead to public employees engaging in activity they would not otherwise do. This is particularly true in federal law enforcement agencies like the FBI.

Honor the obligations made to current public employees, but all new hires should be offered 401(k)s, not pensions.


You have no idea how weak some of the stuff is that is supposed to be bullet proof.

fishingfool55 | June 28, 2023 at 9:23 pm

One way to protect against fraud is to freeze credit reporting from these three companies. It is free and easy to setup online. If you apply for credit or loan, you can go online and unfreeze. Again it is free to freeze/unfreeze by law.

Can’t California just unleash their secret Diversity Superpower and make this all right again?

Or was it their Diversity Superpower that kept them using a known, exploitable app for a month after its critical vulnerability was known, with another critical vulnerability being discovered a mere two months after that one?

One thing I will give California: “it appears PBI will no longer a vendor as a result of this incident.” Wow! Somebody in government (contracting) who screwed up is actually going to be held responsible? If this happened after any of the other known MOVEit Transfer data thefts, nobody has mentioned it.

    So they can bring on the next supplier with equally weak controls?

    The vendor is only as air-tight as you force them to be.

    Like many IT organizations- CA government is probably too distracted with Pride month or promoting more women in IT rather than doing their job.

      Andy in reply to Andy. | June 29, 2023 at 12:48 am

      Let’s see how many involved on the government side have their pronouns in the signature line.

mariecpa2000 | July 1, 2023 at 1:11 pm

It’s about time that these companies with massive data breaches start coming across with some real money for not protecting our information. This BS of providing “credit monitoring” is a drop in the bucket of the problems their lax security causes “us”. Bet they’d fix the problem right away!