CalPERS, CalSTRS, Genworth Among Those Affected by MOVEit Data Breach

The California Public Employees’ Retirement System, the California State Teachers Retirement System and Genworth Financial Inc. revealed that some of their clients’ personal information was involved in a data breach that hit third-party vendor PBI Research Services’ MOVEit Transfer Application, used by thousands of organizations.

PBI provides services to pension funds to identify member deaths so that proper payments are made to retirees and beneficiaries and to prevent overpayments or other errors. For life insurance firms like Genworth, the company helps identify the possible eligibility of beneficiaries for death benefits or for policies beneficiaries may not know exist.

According to CalPERS, while the data breach did not impact its information systems, it did impact the personal information of approximately 769,000 members, including retired members, some of whom are inactive members and may soon be eligible for benefits. The pension fund is offering free credit monitoring to retirees and beneficiaries with impacted personal information and is also mailing tips on how to protect their information. CalPERS is also providing information on its website and through its customer contact center.

“This external breach of information is inexcusable,” CalPERS CEO Marcie Frost said in a release. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”

According to CalPERS, PBI reported the hack to federal law enforcement and told CalPERS it has resolved the vulnerability, while also adding additional security measures. The pension fund also stated that in response to the breach, it has taken “several additional and immediate actions to secure its members’ benefits,” including new protocols on the member benefits website, myCalPERS, and additional safeguards for users of the member contact center and for participants who visit any CalPERS regional office.

Although CalSTRS and CalPERS were first notified of the breach on June 4 and June 6, respectively, CalPERS said it took more than two weeks to notify members because PBI’s initial communication “did not provide sufficient detail as to the scope of the data that was impacted and the individuals to which that data belonged,” adding that, “we share the frustrations this third-party vendor breach has created for CalPERS members and their families.”

According to an emailed statement, PBI uses Progress Software’s MOVEit file transfer application with multiple clients, and at the end of May, Progress Software identified a “zero-day vulnerability” in the MOVEit software that was actively being exploited by cyber criminals.

“PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement and contacted potentially impacted clients,” the company stated. “The cyber criminals did not gain access to PBI’s other systems—access was only gained to the MOVEit administrative portal subject to the vulnerability. PBI is working directly with impacted clients to identify impacted consumers and develop notice plans.”

CalSTRS stated via email that the hack did not involve unauthorized access to its network; however, it is working with PBI to identify the CalSTRS members whose information was involved. The pension fund intends to provide notice to members and beneficiaries whose personal information was involved, “in accordance with applicable law.”

Genworth declined to elaborate on its June 22 SEC filing, in which it said it was notified by PBI of the breach and that it “believes that the personal information of a significant number of insurance policyholders or other customers of its life insurance businesses was unlawfully accessed.” Genworth stated it is “working to ensure that protection services are provided to those impacted individuals” and that it believes the breach did not impact any of its information systems, including its financial systems, and that there has not been any material interruption of its business operations.