It was reported Wednesday that hackers stole the names and social security numbers of around 769,000 retirees and beneficiaries of the California Public Employees' Retirement System. In addition, hackers stole their birth dates and other personal information. During the attack, the attackers exploited vulnerabilities in a contractor's cybersecurity system. In a data breach caused by a third party, some CalPERS members' personal information was exposed.
According to the California Public Employees Retirement System, PBI Research Services/Berwyn Group was informed on June 6 that its database had a security breach. The hack was carried out using a popular application that allows file transfers between devices.
There are more than 2 million CalPERS members throughout the country, making it the largest pension fund in the country. In addition to covering the health needs of over 1.5 million members and their families, this organization also provides medical insurance. A spokesperson for CalSTRS, the second-largest public pension plan in the country, told reporters Thursday that it had also been hacked by the same vendor. However, no details were provided about the victims. CalSTRS has reported that 415,000 members and beneficiaries have been affected.
To support accuracy in payments to retirees and beneficiaries, CalPERS uses the MOVEit Transfer Application. This application encrypts data as part of its process to prevent overpayments or other errors when processing payments to retirees or beneficiaries. CalPERS uses PBI's MOVEit Transfer services to transfer. A benefit information verification process is also carried out by this department. Millions of people all over the world use the MOVEit Transfer app, which was also impacted by the data breach as the app is used by thousands of organizations.
CalPERS retirees and their survivors were exposed to the vulnerability that PBI has since identified and resolved. Law enforcement has also been notified of the incident.
There are 17,000 teachers enrolled in the CalSTRS system. This is the largest teachers' retirement system in the United States and the second-most comprehensive pension fund in the world after Social Security. With more than 947,000 members, it is one of the largest mutual insurers in the world.
As reported in CalPERS' latest release, the agency has not yet identified the vulnerability in its MOVEit Transfer Application that was reported to the agency on June 6 by its third-party vendor, PBI Research Services. This vulnerability has since been fixed.
PBI allows CalPERS to identify death cases among its members and ensure proper payments are made to beneficiaries and retirees alike.
CALPERS said that due to the app's vulnerability, third parties could download information such as first and last names, date of birth, and Social Security numbers by downloading the app, the organization said. There was also the possibility of accessing the names of family members.
According to CalPERS, the breach affected neither CalPERS's information systems nor my CalPERS, which provides access to active members. Members' monthly benefit payments will also not be affected by this change.
This breach did not affect CalPERS' information security systems. Although this is true, CalPERS has incorporated new security protocols for its website, call centers, and office locations. Members will be able to continue receiving monthly pension payments as per their personal preferences in the future.
The CalPERS Retirement System has joined forces with Experian to offer members whose personal information has been stolen a two-year credit monitoring service and an identity restoration service. Members affected by the policy change received letters outlining how to access these services and how to do so.
It was reported on CalPERS' website earlier this week that all affected members are eligible for two years of free credit monitoring and identity restoration through Experian through an online Q&A posted there.
The CalPERS agency mailed letters Thursday with an agency logo and a message signed by the CEO. The letters explain what options are available and how to enroll in them.
As reported by Brett Callow, threat analyst at the cybersecurity firm Emsisoft, the hackers behind the attack claim that they have hit hundreds of businesses, government agencies, and other entities throughout the world that did not protect themselves from the attack.
Approximately 100 companies have reported personal data theft so far, Callow said, and about 30 more are expected to do so soon. In an official report issued last week, the U.S. The Health and Human Services Department announced that the flu outbreak affected millions of Americans.
Those who have not received this letter and believe they have impacted personal information may contact 833-919-4735 to file a complaint. As for the center's operations hours, they are Monday through Friday, 6:00 a.m. up until 8:00 p.m. Pacific Time, while on Saturdays and Sundays, from 8:00 a.m. up until 5:00 p.m.
The California Public Employees' Retirement System also encourages its members to regularly review and monitor their accounts and credit history for unauthorized transactions or activity. It also encourages them to notify local police if fraud or identity theft occurred.