A retired teacher has filed a class-action lawsuit against Teachers Insurance and Annuity Association of America, alleging the company failed to protect her personal data in a widespread cyberattack that exploited vulnerabilities in a file transfer application called MOVEit.
The lawsuit accuses TIAA of recklessly maintaining the plaintiff's personally identifiable information, or PII, saying the information was kept on the company's computer network in a condition vulnerable to cyberattacks. It also claims the company neglected to encrypt the highly sensitive information and that it failed to comply with the data security practices of the Federal Trade Commission.
At least one of the plaintiff's former employers used TIAA for certain employee benefits, the lawsuit alleged.
The breach occurred May 29 and May 30 when an unauthorized third party accessed MOVEit transfer servers and downloaded data containing the plaintiff's and class members' full names, addresses, dates of birth, gender and Social Security numbers.
"Hackers targeted and obtained plaintiff's and class members' PII because of its value in exploiting and stealing the identities of plaintiff and class members," the lawsuit said. "The present and continuing risk to victims of the data breach will remain for their respective lifetimes."
The lawsuit alleges that 2.3 million customers of TIAA were affected by the breach, citing a report submitted to the Maine attorney general.
The lawsuit, which was filed Monday in U.S. District Court in New York, seeks compensatory damages and injunctive relief, including improvements to TIAA's data security systems, future annual audits and adequate credit monitoring services funded by TIAA.
TIAA declined to comment on the litigation.
The lawsuit follows a string of class actions related to the MOVEit cyber breach, including one filed by participants of the $468.3 billion California Public Employees' Retirement System, Sacramento, against Pension Benefit Information, a third-party vendor to record keepers and others in the retirement industry. CalPERS participants alleged that PBI was negligent in protecting their personal information.
The case is Jentz vs. Teachers Insurance and Annuity Association of America, No. 1:23-cv-06944.