The personal information of about 769,000 retired CalPERS members was exposed in a third-party data breach that was reported earlier this month. CalSTRS said 415,000 of its members and beneficiaries were impacted by the breach.CalPERS, the California Public Employees’ Retirement System, is the nation’s largest public pension fund. It serves more than 2 million members in its retirement system and more than 1.5 million in its health program.CalSTRS, the California State Teachers’ Retirement System, is the second-largest public pension fund in the United States and the largest teachers’ retirement system. It serves more than 947,000 members. CalPERS first said in a release Wednesday that its third-party vendor, PBI Research Services, notified the agency on June 6 of a vulnerability with its MOVEit Transfer Application that has since been fixed. PBI helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries. The app’s vulnerability allowed data like first and last names, date of birth and Social Security numbers to be downloaded by an unauthorized third party, CalPERS said. The names of members’ family members could also have been accessed. CalPERS said the breach did not impact its own information systems, myCalPERS or active members. It also does not affect members’ monthly benefits payments. But along with retired members and their families, the breach could have also impacted inactive members who soon become eligible for benefits, CalPERS said. PBI said in a statement that it identified the vulnerability “at the end of May” and that it was “actively being exploited by cyber criminals.” “PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement and contacted potentially impacted clients,” PBI said. “The cyber criminals did not gain access to PBI’s other systems – access was only gained to the MOVEit administrative portal subject to the vulnerability. PBI is working directly with impacted clients to identify impacted consumers and develop notice plans.”Thousands of other organizations have also been impacted by the breach, CalPERS said.According to The Associated Press, the U.S. Department of Energy and other federal agencies were compromised, along with more than 9 million drivers in Oregon and Louisiana, Johns Hopkins University, the Ernst & Young accounting firm, the BBC and British Airways. CalPERS said that on Thursday, it will begin sending letters to impacted members about the breach and will offer them free Experian credit monitoring for two years. It was not immediately clear if CalPERS has received reports of fraud in connection with the breach. KCRA 3 is also asking why the agency waited until this week to announce the breach. “I felt just– flabbergasted that they didn’t say anything to anybody before this. We should have known. We should have been able to check our accounts,” said Randy Cheek, legislative director for the Retired Public Employees’ Association of California. The AP reported that the criminal gang Cl0p, which is believed to be responsible for the hack, is extorting victims. CalPERS members can email questions about the breach to [email protected] or call 833-919-4735 Monday through Friday from 6 a.m. to 8 p.m. or Saturday and Sunday from 8 a.m. to 5 p.m. CalPERS said that in response to the breach, it is making new protocols for myCalPERS and safeguards for those who use the call center or who visit a regional office. “This external breach of information is inexcusable,” CalPERS CEO Marcie Frost said in a statement. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”On Thursday, CalSTRS confirmed it was also impacted when asked by KCRA 3. The system said it was informed on June 4 that PBI’s systems were exploited. On June 8, it was told the breach contained the personal information of some of its members. “This incident did not involve unauthorized access to CalSTRS’ network,” CalSTRS said. “CalSTRS is working with PBI to identify the CalSTRS members whose information was involved in PBI’s incident. CalSTRS will provide notice to any members and beneficiaries whose personal information was involved in accordance with applicable law.”CalSTRS, in a Friday email, said that the names, Social Security numbers, dates of birth and ZIP codes of 415,000 members and their beneficiaries were released by the breach. Those affected were sent a letter identifying resources available to help protect private information.”CalSTRS is evaluating the relationship with PBI Research Services and security measures in place,” the agency said. “PBI has informed CalSTRS that it applied the recommended patches to its file transfer system and taken the recommended mitigation steps. CalSTRS continues to work to ensure that all of our service providers implement security measures that protect our members’ information.”
The personal information of about 769,000 retired CalPERS members was exposed in a third-party data breach that was reported earlier this month. CalSTRS said 415,000 of its members and beneficiaries were impacted by the breach.
CalPERS, the California Public Employees’ Retirement System, is the nation’s largest public pension fund. It serves more than 2 million members in its retirement system and more than 1.5 million in its health program.
CalSTRS, the California State Teachers’ Retirement System, is the second-largest public pension fund in the United States and the largest teachers’ retirement system. It serves more than 947,000 members.
CalPERS first said in a release Wednesday that its third-party vendor, PBI Research Services, notified the agency on June 6 of a vulnerability with its MOVEit Transfer Application that has since been fixed.
PBI helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries.
The app’s vulnerability allowed data like first and last names, date of birth and Social Security numbers to be downloaded by an unauthorized third party, CalPERS said. The names of members’ family members could also have been accessed.
CalPERS said the breach did not impact its own information systems, myCalPERS or active members. It also does not affect members’ monthly benefits payments.
But along with retired members and their families, the breach could have also impacted inactive members who soon become eligible for benefits, CalPERS said.
PBI said in a statement that it identified the vulnerability “at the end of May” and that it was “actively being exploited by cyber criminals.”
“PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement and contacted potentially impacted clients,” PBI said. “The cyber criminals did not gain access to PBI’s other systems – access was only gained to the MOVEit administrative portal subject to the vulnerability. PBI is working directly with impacted clients to identify impacted consumers and develop notice plans.”
Thousands of other organizations have also been impacted by the breach, CalPERS said.
According to The Associated Press, the U.S. Department of Energy and other federal agencies were compromised, along with more than 9 million drivers in Oregon and Louisiana, Johns Hopkins University, the Ernst & Young accounting firm, the BBC and British Airways.
CalPERS said that on Thursday, it will begin sending letters to impacted members about the breach and will offer them free Experian credit monitoring for two years.
It was not immediately clear if CalPERS has received reports of fraud in connection with the breach. KCRA 3 is also asking why the agency waited until this week to announce the breach.
“I felt just– flabbergasted that they didn’t say anything to anybody before this. We should have known. We should have been able to check our accounts,” said Randy Cheek, legislative director for the Retired Public Employees’ Association of California.
The AP reported that the criminal gang Cl0p, which is believed to be responsible for the hack, is extorting victims.
CalPERS members can email questions about the breach to [email protected] or call 833-919-4735 Monday through Friday from 6 a.m. to 8 p.m. or Saturday and Sunday from 8 a.m. to 5 p.m.
CalPERS said that in response to the breach, it is making new protocols for myCalPERS and safeguards for those who use the call center or who visit a regional office.
“This external breach of information is inexcusable,” CalPERS CEO Marcie Frost said in a statement. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”
On Thursday, CalSTRS confirmed it was also impacted when asked by KCRA 3. The system said it was informed on June 4 that PBI’s systems were exploited. On June 8, it was told the breach contained the personal information of some of its members.
“This incident did not involve unauthorized access to CalSTRS’ network,” CalSTRS said. “CalSTRS is working with PBI to identify the CalSTRS members whose information was involved in PBI’s incident. CalSTRS will provide notice to any members and beneficiaries whose personal information was involved in accordance with applicable law.”
CalSTRS, in a Friday email, said that the names, Social Security numbers, dates of birth and ZIP codes of 415,000 members and their beneficiaries were released by the breach. Those affected were sent a letter identifying resources available to help protect private information.
“CalSTRS is evaluating the relationship with PBI Research Services and security measures in place,” the agency said. “PBI has informed CalSTRS that it applied the recommended patches to its file transfer system and taken the recommended mitigation steps. CalSTRS continues to work to ensure that all of our service providers implement security measures that protect our members’ information.”
