“This external breach of information is inexcusable,” said CalPERS Chief Executive Officer Marcie Frost in a news release. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”
In a Q&A posted on the agency’s website, CalPERS leaders said that all affected members are eligible to receive two years of free credit monitoring and identity restoration services through Experian. The notice said letters detailing what’s available and how to enroll had been sent to those affected.
The hackers also may have gotten the information on CalPERS members’ former or current employers, spouses or domestic partners, and children. All types of retirees are affected, whether they worked for the state, public agencies, school districts, in the courts or in the California legislature.
If you believe you were affected but have not received a letter, you can call 833-919-4735 6 a.m. to 8 p.m. Pacific Monday through Friday and 8 a.m. to 5 p.m. Pacific on Saturday and Sunday. The lines will be closed on major holidays.
The agency notice said that a third-party vendor, PBI Research Services+Berwyn Group had informed CalPERS of the breach on June 6, 2023, and that CalPERS moved swiftly to protect the security of its member accounts, rolling out new security protocols to protect member accounts.
Retiree asks: What took CalPERS so long?
Randy Cheek, the legislative director of the Retired Public Employees Association, said he was livid that he and other affected members were not informed of this breach immediately. Cheek made a run for a seat on the 13-member CalPERS Board of Administration but lost to retired union chief Yvonne Walker last December.
“They found out about it two weeks ago ... and they’re just now saying something, and they’re gonna send letters out tomorrow,” he said. “On top of that, they didn’t even tell the bank because I just called Golden 1 and they had no idea. I talked to their top security guy.”
Golden 1, Cheek said, holds accounts on hundreds of thousands of state employees, and it should have been alerted so they could enhance security.
When asked about the lag between learning about the hack and alerting members, CalPERS officials told The Sacramento Bee: “We needed to make sure we had all the facts and that our system was secure before alerting retirees. Our primary duty was and is to ensure the safety of all our member and retiree information.”
PBI, the third-party vendor, helps CalPERS to identify any members who have died, helping the agency to prevent overpayments or other errors. PBI also validates information on inactive members, helping CalPERS to assess who may be eligible for benefits soon.
CalPERS said that PBI was using a data transfer application called MoveIt Transfer that organizations around the nation use to share data securely. The application boasts encryption, tracking and access controls for secure collaboration and automated transfers.
How did hackers get CalPERS data?
The hacker community discovered a critical vulnerability in the MoveIt Transfer software and one group exploited it before a patch was deployed, using malicious software code to gain unauthorized access to data not intended to be displayed, according to the notice on the CalPERS website.
Because the MoveIt Transfer app is used by multiple hospitals, clinics, and health insurance groups to share sensitive information such as medical records, bank records, and social security numbers, the U.S. Department of Health and Human Services has kept tabs on vulnerabilities that could leave health care companies open to having data stolen or held for ransom.
In a dispatch last week, HHS reported that local, state, and federal agencies reported Thursday that they had been the target of cyberthreat hackers who were leveraging the MoveIt transfer vulnerabilities.
“Oregon and Louisiana transportation departments have warned millions of residents their identities are at risk after a cyberattack Thursday stole names, addresses and social security numbers,” HHS officials wrote. “Two Department of Energy entities were among the impacted federal agencies. The education sector was also targeted; Johns Hopkins University in Baltimore and the university’s renowned health system said in a statement this week that sensitive personal and financial information, including health billing records may have been stolen in the hack. The University of Georgia school system is currently investigating the scope and severity of the hack.”
It’s not known whether these attacks and the PBI breach were by the same actors, but both attacks took advantage of similar vulnerabilities.
CalPERS officials stressed that their systems were not threatened or breached in this attack and that retirees’ money is secure. They recommended that, in addition to enrolling in credit monitoring services, retirees and beneficiaries regularly review and monitor their accounts and credit reports. If you suspect identity theft or fraud, agency officials said, contact the police.
©2023 The Sacramento Bee. Visit sacbee.com. Distributed by Tribune Content Agency, LLC.
