CalPERS, CalSTRS members’ information exposed in data breach
The personal information of about 769,000 retired CalPERS members was exposed in a third-party data breach reported earlier this month. CalSTRS also said it was affected by the breach, and KCRA 3 is trying to find out how many of its members were affected. CalPERS, the California Public Employees’ Retirement System, is the nation’s largest public pension fund. It serves more than 2 million members in the pension system and more than 1.5 million in the health program. CalSTRS, the California State Teachers’ Retirement System, is the second largest public pension fund in the United States and the largest retirement system for teachers. It serves more than 947,000 members. CalPERS first said in a release Wednesday that third-party vendor PBI Research Services/Berwyn Group notified the agency on June 6 of a vulnerability with the MOVEit Transfer Application that has since been fixed. PBI helps CalPERS identify member deaths and ensure proper payments go to retirees and their beneficiaries. The app̵[ads1]7;s vulnerability allowed data such as first and last name, date of birth and social security number to be downloaded by an unauthorized third party, CalPERS said. The names of members’ family members could also be available. CalPERS said the breach did not affect its own information systems, myCalPERS or active members. It also does not affect members’ monthly benefit payments. But along with retired members and their families, the breach also may have affected inactive members who will soon become eligible for benefits, CalPERS said. PBI said it reported the breach to federal law enforcement. CalPERS said thousands of other organizations have also been affected by the breach. CalPERS said Thursday it will begin sending letters to affected members about the breach and will offer them free Experian credit monitoring for two years. It was not immediately clear whether CalPERS has received reports of fraud related to the breach. KCRA 3 also asks why the agency waited until this week to announce the breach. People can email questions about the breach to PBIquestions@calpers.ca.gov or call 833-919-4735 Monday through Friday from 6 a.m. to 8 p.m. or Saturday and Sunday from 8 a.m. to 5 p.m. CalPERS said that in response to the breach creating new protocols for myCalPERS and safeguards for those using the call center or visiting a regional office. “This external breach of information is inexcusable,” CalPERS CEO Marcie Frost said in a statement. “Our members deserve better. As soon as we became aware of what happened, we took swift action to protect our members’ financial interests, as well as steps to ensure long-term protection.” On Thursday, CalSTRS confirmed it was also affected when asked by KCRA 3. The system said it was notified June 4, two days before CalPERS said it was notified. “This incident did not involve unauthorized access to CalSTRS’ network,” CalSTRS said. “CalSTRS is working with PBI to identify the CalSTRS members whose information was involved in PBI’s incident. CalSTRS will notify all members and beneficiaries whose personal information was involved in accordance with applicable law.”
The personal information of about 769,000 retired CalPERS members was exposed in a third-party data breach reported earlier this month. CalSTRS also said it was affected by the breach, and KCRA 3 is trying to find out how many of its members were affected.
CalPERS, the California Public Employees’ Retirement System, is the nation’s largest public pension fund. It serves more than 2 million members in the pension system and more than 1.5 million in the health program.
CalSTRS, the California State Teachers’ Retirement System, is the second largest public pension fund in the United States and the largest retirement system for teachers. It serves more than 947,000 members.
CalPERS first said in a release Wednesday that third-party vendor PBI Research Services/Berwyn Group notified the agency on June 6 of a vulnerability with the MOVEit Transfer Application that has since been fixed.
PBI helps CalPERS identify member deaths and ensure proper payments go to retirees and their beneficiaries.
The app’s vulnerability allowed data such as first and last name, date of birth and social security number to be downloaded by an unauthorized third party, CalPERS said. The names of members’ family members could also be available.
CalPERS said the breach did not affect its own information systems, myCalPERS or active members. It also does not affect members’ monthly benefit payments.
But along with retired members and their families, the breach also may have affected inactive members who will soon become eligible for benefits, CalPERS said.
PBI said it reported the breach to federal law enforcement. CalPERS said thousands of other organizations have also been affected by the breach.
CalPERS said Thursday it will begin sending letters to affected members about the breach and will offer them free Experian credit monitoring for two years.
It was not immediately clear whether CalPERS has received reports of fraud related to the breach. KCRA 3 also asks why the agency waited until this week to announce the breach.
People can email questions about the breach to PBIquestions@calpers.ca.gov or call 833-919-4735 Monday through Friday from 6 a.m. to 8 p.m. or Saturday and Sunday from 8 a.m. to 5 p.m.
CalPERS said that in response to the breach, it is creating new protocols for myCalPERS and security measures for those using the call center or visiting a regional office.
“This external breach of information is inexcusable,” CalPERS CEO Marcie Frost said in a statement. “Our members deserve better. As soon as we learned of what happened, we took swift action to protect our members’ financial interests, as well as steps to ensure long-term protection.”
On Thursday, CalSTRS confirmed it was also affected when asked by KCRA 3. The system said it was notified June 4, two days before CalPERS said it was notified.
“This incident did not involve unauthorized access to CalSTRS’ network,” CalSTRS said. “CalSTRS is working with PBI to identify the CalSTRS members whose information was involved in PBI’s incident. CalSTRS will notify all members and beneficiaries whose personal information was involved in accordance with applicable law.”