CalPERS, the California Public Employees’ Retirement System, was hit by a cybersecurity breach earlier this month that compromised the data of approximately 769,000 California retirees and their family members.
On June 21, CalPERS posted a notice on its website describing a third-party data breach affecting consumers nationwide. The notice said CalPERS is in the process of notifying impacted retirees that their Social Security numbers and other confidential information were compromised when hackers were able to exploit a vulnerability in software used by CalPERS.
CalPERS explained that the incident affected all retirees from the state, public agencies, school districts and retirees of the Judges’ Retirement System and Legislators’ Retirement System. The breach also leaked information belonging to those listed as members’ beneficiaries.
Personal information that was downloaded included: First and Last Name; Date of Birth; and Social Security Number. It could have also included the names of former or current employers, spouse or domestic partner, and child or children. The information that was taken involves anyone who was receiving an ongoing monthly benefit payment as of this spring.
CalPERS notes that the incident stemmed from a third-party vendor’s use of the managed file transfer software. On June 6, 2023, CalPERS was notified by its vendor, PBI Research Services/Berwyn Group (PBI), that a vulnerability in the MOVEit file-transfer software created by Progress Software allowed hackers to download confidential member data.
CalPERS uses PBI’s services to ensure accuracy in its payments to retirees and beneficiaries and sent data to PBI in a secure, encrypted format. The cybersecurity breach did not impact CalPERS’ information systems or myCalPERS.
Specifically, PBI provides services to CalPERS to identify member deaths. These services ensure that proper payments are made to retirees and beneficiaries and prevent instances of overpayments or other errors. PBI also validates information on inactive members who may soon be eligible for benefits.
PBI has reported the matter to federal law enforcement and has told CalPERS it has resolved the vulnerability, while also adding additional security measures.
CalPERS is offering affected consumers two years of complimentary credit monitoring and identity restoration services through Experian. A letter detailing these services was recently mailed to impacted retirees or their survivors with instructions on how to enroll.
The nation’s largest defined benefit public pension fund noted the data breach only impacted CalPERS retirees and their survivors, and not active members.
In the wake of the incident, Marlton, N.J.-based personal injury law firm Console & Associates, P.C., issued a press release advising victims of the breach to consider contacting a data breach attorney immediately. “Those consumers who receive a data breach letter from CalPERS may be entitled to financial compensation,” the release states.
SEE ALSO:
• CalPERS Set to Heavily Boost Venture Capital Investments
• Retirement Clearinghouse Notifies 10,500 Individuals of Data Breach
• SPARK Institute Releases Updated Cybersecurity Standards for Plan Sponsors and Advisors
Veteran financial services industry journalist Brian Anderson joined 401(k) Specialist as Managing Editor in January 2019. He has led editorial content for a variety of well-known properties including Insurance Forums, Life Insurance Selling, National Underwriter Life & Health, and Senior Market Advisor. He has always maintained a focus on providing readers with timely, useful information intended to help them build their business.