T. Rowe Price Retirement Plan Services was the victim of a cyber breach that leaked the personal information of individuals participating in executive retirement savings plans, according to a notification that Infosys McCamish Systems filed with the Office of the Maine Attorney General on Sept. 9.
Infosys McCamish Systems is a third-party vendor to T. Rowe Price, supporting its corporate and business operations, IMS said in the filing.
Other IMS clients affected by the breach were New York Life Group Benefit Solutions, Principal Life Insurance Company, Prudential Insurance Company of America and Oceanview Life and Annuity Company. A total of 6,078,263 individuals across all five companies had their personal information leaked, of which 11,866 were in Maine, IMS disclosed in the filing.
The pilfered information included Social Security numbers, dates of birth, email addresses, usernames and passwords, driver’s license and passport numbers, and even biometric data and financial account information. The leaks varied by individual, IMS said.
T. Rowe Price explained that the breach affected individuals in what are known as nonqualified deferred compensation plans. These plans allow senior executives to sock away retirement money on a tax-deferred basis beyond what they’re allowed to with their 401(k) accounts.
Less than 10,000 individuals participating in nonqualified plans record kept by T. Rowe Price were affected, T. Rowe Price said in a statement.
“T. Rowe Price reviewed the data, communicated with our impacted nonqualified plan clients, and offered them the opportunity to opt in to mailings being made by IMS to impacted individuals,” it said.
T. Rowe Price declined to say how many of its nonqualified plan clients were affected.
The record keeper noted that its systems were not compromised by the incident at IMS and that no data was exfiltrated from T. Rowe Price systems.
Principal said that the breach disrupted certain applications and systems used to service its group universal life customers.
“As a customer of McCamish, we received confirmation that Principal customer data for our group universal life products was subject to unauthorized access and acquisition as part of the cybersecurity event,” the company said.
Like T. Rowe Price, Principal noted that no internal systems of Principal were compromised because of the incident and that no data was exfiltrated from systems maintained by Principal.
The three other affected companies – New York Life, Prudential and Oceanview – did not respond to a request for comment.
IMS reported that it became aware that some of its systems were encrypted by ransomware on Nov. 2, 2023, a discovery that prompted an in-depth cyber forensic investigation. It found that unauthorized activity occurred between Oct. 29, 2023, and Nov. 2, 2023, and that data had been subject to unauthorized access and acquisition.
The vulnerability has since been contained and remediated, IMS said.
In addition to identifying the personal information subject to unauthorized access and acquisition, it notified the organizations impacted by the breach.
In June, it also began sending written notices of the breach to affected individuals, offering them 24 months of complimentary credit monitoring services as well as guidance on how to protect against identity theft and fraud.
In the letter to individuals, IMS noted that it was not aware of any instances in which the personal information leaked had been fraudulently used.
This story has been updated with comments from T. Rowe Price.