The California Public Employees’ Retirement System (CalPERS) reported Wednesday that hackers stole the names, social security numbers, birth dates and other confidential information of roughly 769,000 retirees and beneficiaries, taking advantage of a vulnerability in a contracted vendor’s cybersecurity system.
“This external breach of information is inexcusable,” CalPERS Chief Executive Officer Marcie Frost said in a news release. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”
In a Q&A posted on the agency’s website, CalPERS leaders said that all affected members are eligible to receive two years of free credit monitoring and identity restoration services through Experian. The notice said letters detailing what’s available and how to enroll had been sent to those affected. The hackers also may have gotten information on CalPERS members’ former or current employers, spouses or domestic partners, and children. All types of retirees are affected, whether they worked for the state, public agencies, school districts, in the courts or in the California Legislature.
The agency notice said that a third-party vendor, PBI Research Services+Berwyn Group, had informed CalPERS of the breach on June 6 and that CalPERS moved swiftly to protect the security of its member accounts, rolling out new security protocols to protect member accounts.
Randy Cheek, the legislative director of the Retired Public Employees Association of California, said he was livid that he and other affected members were not informed of this breach immediately.
When asked about the lag between learning about the hack and alerting members, CalPERS officials told The Sacramento Bee: “We needed to make sure we had all the facts and that our system was secure before alerting retirees. Our primary duty was and is to ensure the safety of all our member and retiree information.”
PBI, the third-party vendor, helps CalPERS to identify any members who have died, helping the agency to prevent overpayments or other errors. PBI also validates information on inactive members, helping CalPERS to assess who may be eligible for benefits soon. CalPERS said that PBI was using a data transfer application called MOVEIt Transfer that organizations around the nation use to share data securely. The application boasts encryption, tracking and access controls for secure collaboration and automated transfers.
The hacker community discovered a critical vulnerability in the MOVEIt Transfer software and one group exploited it before a patch was deployed, using malicious software code to gain unauthorized access to data not intended to be displayed, according to the notice on the CalPERS website. Because the MOVEIt Transfer app is used by multiple hospitals, clinics, and health insurance groups to share sensitive information such as medical records, bank records, and social security numbers, the U.S. Department of Health and Human Services has kept tabs on vulnerabilities that could leave health-care companies open to having data stolen or held for ransom.
“They found out about it two weeks ago ... and they’re just now saying something, and they’re gonna send letters out tomorrow,” he said. “On top of that, they didn’t even tell the bank because I just called Golden 1 and they had no idea. I talked to their top security guy.” Golden 1, Cheek said, holds accounts on hundreds of thousands of state employees, and it should have been alerted so they could enhance security.
In a dispatch last week, HHS reported that local, state, and federal agencies reported Thursday that they had been the target of cyberthreat hackers who were leveraging the MOVEIt Transfer vulnerabilities.
CalPERS officials stressed that their systems were not threatened or breached in this attack and that retirees’ money is secure. They recommended that, in addition to enrolling in credit monitoring services, retirees and beneficiaries regularly review and monitor their accounts and credit reports.
If you suspect identity theft or fraud, agency officials said, contact the police. If you believe you were affected but have not received a letter, you can call 833-919-4735 6 a.m. to 8 p.m. Monday through Friday and 8 a.m. to 5 p.m. on Saturday and Sunday. The lines will be closed on major holidays.
(c)2018 The Sacramento Bee. Distributed by Tribune Content Agency, LLC.