Nearly 9,000 customers of TIAA and TIAA-CREF Life Insurance Company were victims of a cybersecurity breach, according to a notification filed by TIAA with the Office of the Maine Attorney General on Sept. 27.
The data breach occurred at Infosys McCamish Systems, one of TIAA and TIAA Life’s administrative support services providers, TIAA said in the filing.
The cybersecurity breach occurred between Oct. 29, 2023, and Nov. 2, 2023, and involved an unauthorized party gaining access to IMS systems and data.
IMS became aware of the problem on Nov. 2, at which point it retained a third-party cybersecurity expert to investigate and assist with containment. It also implemented additional security controls and restored full services in December.
The filing did not disclose what data or information was stolen.
In a statement, TIAA said that TIAA and TIAA Life retail customers – and not participants in workplace retirement plans – were affected by the breach.
“We have alerted those affected customers, and IMS has secured Kroll’s services to provide identity-monitoring services at no cost to them. Data security remains a top priority at TIAA,” the company said in a statement.
In a sample letter to affected customers, TIAA said that it was unaware of any fraudulent use of the pilfered data, but encouraged victims to register for the complimentary identity monitoring services being offered. The complimentary services, which are available for a two-year period, include credit monitoring and a $1 million identity fraud loss reimbursement.
The cyber breach follows an earlier incident at T. Rowe Price, which leaked the personal information of almost 10,000 individuals participating in executive retirement savings plans.
The T. Rowe Price breach also occurred at IMS, a T. Rowe third-party vendor, and affected four other companies: New York Life Group Benefit Solutions, Price Life Insurance Company, Prudential Insurance Company of America and Oceanview Life and Annuity Company. Altogether, a total of over 6 million individuals across the five companies had their personal information leaked.
The recently reported data breach at TIAA affected 8,977 people, with 81 residing in Maine, according to TIAA’s filing.
