Ma sits on the board of both pension funds: the California Public Employees Retirement System and the California State Teachers’ Retirement System.
“While it appears that member retirement benefits are not at risk, those affected may ... now be especially vulnerable to identity theft and other fraudulent activity,” Ma said. “As you know well, many of our retirees earn modest retirement checks — an average of $41,000 a year for CalPERS retirees — and are on fixed incomes. Putting hundreds of thousands of (retirees) in this position is simply unacceptable!”
CalSTRS has said that, on average, its members who retired as recently as 2021–22 had 25 years of service and a monthly benefit of $4,809.
Ma said that a special meeting would give staff an opportunity to fully brief board members, providing a full accounting of a timeline of events, staff actions once the breach was detected, current data security measures and protocols, as well as plans to prevent these types of intrusions in future.
As The Sacramento Bee reported Thursday, the data was stolen from a third-party vendor, PBI Research Services, that both CalPERS and CalSTRS used. More than 100 organizations around the world suffered data losses as a result of this software vulnerability, said Emsisoft threat analyst Brett Callow.
A ransomware group known as Clop gained unauthorized access into a software application that PBI and many other companies used. Once inside the application, known as MoveIt Transfer, the Clop hackers were able to get the program to display information that should have been encrypted.
The hackers also may have gotten information on the pension fund members’ ZIP codes, former or current employers, spouses or domestic partners, and children.
PBI, the third-party vendor, helps CalPERS and CalSTRS to identify any members who have died, helping the agency to prevent overpayments or other errors. PBI also validates information on inactive members, helping the pension funds to assess who may be eligible for benefits soon.
Ma said she’d like to know whether CalPERS and CalSTRS will continue their partnerships with PBI Research Services.
In the letter to CalPERS CEO Marcie Frost, Ma wrote: “It is my understanding that attacks on PBI Research Services may have happened as far back as May. I would like to know if CalPERS staff was made aware of these attacks and if so, what actions were taken in response.”
Ma said the two pension funds also should report on whether they know of any beneficiaries or retirees who have suffered fraudulent activity as a result of the data breach.
CalSTRS said it had was sending out letters this week to roughly 415,000 people who were affected. The agency said those papers would identify resources to help protect personal information and offer contact information for “a dedicated call center staffed by trained representatives who can assist in answering questions about the incident.”
CalPERS said it had mailed letters Thursday to 769,000 members explaining that they would be offered two years membership in a credit monitoring and identity restoration service.
PBI first shared information on the breach with CalPERS on June 6 and with CalSTRS on June 4. Both agencies said they had acted to ensure that members accounts were secure before announcing the intrusions late last week.
Randy Cheek, the legislative director of the Retired Public Employees Association, and other retirees told The Bee they were deeply disturbed that their information was in hackers’ hands for weeks before they were alerted to the breach.
Ma told Frost and CalSTRS CEO Cassandra Lichnock that she hoped they would provide updates to pensioners and beneficiaries as new information becomes available.
CalPERS, the nation’s largest defined-benefit public pension, serves more than 2 million members in its retirement system and administers benefits for more than 1.5 million members and their families in its health care program. The CalSTRS system, second only in size to CalPERS, serves more than 1 million people whose CalSTRS-covered service is not eligible for social security participation.
© 2023 The Sacramento Bee. Distributed by Tribune Content Agency, LLC.