In a disheartening turn of events reported earlier this month, the privacy and security data of approximately 769,000 esteemed retired members of CalPERS and 415,000 valued members of CalSTRS, were compromised due to an unfortunate third-party breach. CalPERS, the nation’s largest public pension fund, prides itself on serving a vast community of over 2 million members, while additionally extending its care to more than 1.5 million individuals enrolled in its health program. CalSTRS, which is distinguished as the largest teachers’ retirement system and second-largest public pension fund in the United States, services the needs of over 947,000 members.
In a recent announcement, CalPERS has provided an update regarding a security incident involving a third-party vendor, PBI Research Services. On Wednesday, CalPERS revealed that PBI Research Services (PBI) promptly notified them on June 6 about a vulnerability found in MOVEit Transfer Application. Fortunately, this issue has been swiftly resolved by implementing the necessary security fixes.
PBI plays a crucial role in assisting CalPERS in identifying member deaths and ensuring accurate payment distribution to its retirees and their beneficiaries. Unfortunately, due to the vulnerability in one of their applications, certain authorized individuals were able to access and download sensitive information such as members’ first and last names, dates of birth, Social Security numbers, and even potentially the names of their family members.
However, it is important to note that this breach does not have any impact on CalPERS’ own information systems, including myCalPERS, or on the data of active members. Additionally, members can rest assured that their monthly benefit payments will remain unaffected by this incident. CalPERS remains committed to safeguarding its members’ information and is diligently addressing the situation to ensure the highest level of security moving forward.
CalPERS has indicated that the recent breach may have also impacted inactive members who are on the verge of becoming eligible for benefits. PBI revealed in a statement that they had discovered the vulnerability towards the end of May and determined that it was being actively exploited by cybercriminals. PBI promptly addressed the issue by patching its instance of MOVEit and mobilizing a team of cybersecurity and privacy experts. They also immediately notified federal law enforcement agencies and reached out to potentially affected clients.
Fortunately, it is worth noting that the cybercriminals did not gain access to any of PBI’s other systems. Their access was limited to the MOVEit administrative portal, which was vulnerable to the exploit. PBI is working closely with the affected clients to identify individuals who may have been impacted by the breach and is actively formulating comprehensive notification plans to ensure timely communication.
CalPERS has disclosed that numerous other organizations have also fallen victim to the same breach, resulting in a widespread impact. CalPERS has announced that it will begin the process of notifying affected members through personalized letters; and, as part of its efforts to mitigate the impact, CalPERS will extend the offer of free Experian credit monitoring for two years.
According to The Associated Press, this breach has affected various entities, including federal agencies such as the U.S. Department of Energy along with over 9 million drivers in Oregon and Louisiana. Additionally, prestigious institutions like John Hopkins University, the renowned Ernst and Young accounting firm, and even notable entities like the BBC and British Airways have been impacted by this unfortunate incident. The Associated Press also stated that the notorious group known as Cl0p is suspected to be behind the hack and is employing extortion tactics against the victims affected by the breach.
In response to the breach, CalPERS has swiftly implemented new protocols for myCalPERS reinforcing security measures for users of the call center and visitors to regional offices. CalPERS CEO Marcie Frost expressed deep disappointment in the breach, stating, “This external breach of information is inexcusable. Our members deserve better.” Assuring immediate action, CalPERS took prompt steps to safeguard the financial interests of its members while simultaneously implementing long-term protective measures.
CalSTRS has also confirmed that it has also been impacted by the breach. The system received notification on June 4th regarding the exploitation of PBI’s systems. Subsequently, on June 8, it was revealed that the breach involved the personal information of certain CalSTRS members. CalSTRS has clarified that this incident did not involve unauthorized access to its own network. In collaboration with PBI, CalSTRS is actively working to identify the specific members whose information was involved in the incident. In accordance with applicable laws, CalSTRS is committed to notifying any affected members and beneficiaries regarding the breach and its impact on their personal information.
In an email sent, CalSTRS disclosed that the breach exposed the names, Social Security numbers, birth dates, and ZIP codes of approximately 415,000 members and their beneficiaries. CalSTRS emphasized that they are currently evaluating their relationship with PBI and the existing security measures in place. PBI has assured CalSTRS that they have implemented recommended patches to its file transfer system and has taken necessary mitigation steps. CalSTRS remains dedicated to ensuring that all of its service providers adhere to robust security measures to protect the confidentiality of its members’ information.