The $468.3 billion California Public Employees' Retirement System, Sacramento, provided sensitive information — names, Social Security numbers, birth dates — to Pension Benefit Information and its recently acquired partner, The Berwyn Group, as part of a participants' death audit.
PBI used software that was hacked by the ransomware group, which then downloaded the information of 769,000 retired CalPERS participants through PBI's servers.
The class-action lawsuit alleges that 769,000 retired CalPERS participants' data leaked much earlier, and that PBI waited until June 4 to notify CalPERS.
PBI said on its website that it "became aware of the MOVEit compromise on June 2, 2023, and immediately applied the patch provided by Progress Software."
CalPERS notified retired participants June 21, according to Rosemary Knox, president of the Retired Public Employees Association.
"It's really taken over my life, the lives of our members," Ms. Knox said in an interview. "We're researching our options" for what to do next, she said.
The RPEA asked whether CalPERS has contacted the FBI or other law enforcement agencies, or has been asked for a ransom payment, and has not heard back.
In May, the Russian hackers exploited a vulnerability in software known as MoveIT file transfer, and stole personal data from nearly 20 million people, including from more than 300 companies and government agencies.
Among financial firms affected were Fidelity Investments; TIAA-CREF; TD Ameritrade, now owned by Charles Schwab; and others that also contracted with PBI and other record keepers.
Corebridge Financial, a Houston-based financial services company, was also breached, according to its filing with the SEC.
The suit alleges that PBI was negligent in protecting CalPERS participants' personal information and violated the California Customer Records Act, which governs how PBI should protect personal information of CalPERS' participants, according to Anthony Jenkins, the plaintiff's attorney at Los Angeles-based law firm Arias Sanguinetti Wang & Torrijobs, in a news release.
"PBI's false promises compromised the data of hundreds of thousands of people, many of whom live on a restricted income, and if their credit or financial accounts are accessed, it would be catastrophic," Mr. Jenkins said in the news release. PBI has not sent any notice directly to CalPERS retirees and beneficiaries, the lawsuit said.
The case is Terry Cheng et al. vs. Pension Benefit Information LLC, The Berwyn Group Inc., filed under Case No. 2:23-cv-05481.
Pension funds and other retirement plans need to comply with the Department of Labor's latest cybersecurity best practices, said Katuri Kaye, an attorney with Trucker Huss law firm in Los Angeles. The firm isn't participating in the class-action suit.
Ms. Kaye said the Labor Department has been sending out cybersecurity audit letters to many plans since 2021, when it issued the best practices.
"The DOL cybersecurity audits we've seen include requests that differ from plan to plan, so plans may be receiving a variation of similar types of questions," she said.
The turnaround time for document production in response to the DOL's cybersecurity document request is "very short," Ms. Kaye added, about two weeks. "So, it's extremely important that plan sponsors are focusing on this stuff before they are audited."
Trucker Huss has clients who directly engaged some of the entities involved in the latest breach, she said.
The Russian hacker group CL0p is known for "driving global trends in criminal malware distribution," according to the U.S. Cybersecurity and Infrastructure Security Agency, or CISA.
The latest breach exploited a weakness in MOVEit, a file-transfer product that companies and organizations use to transmit sensitive data. Once the hackers penetrated MOVEit, they could access data stored on MOVEit servers, a portal that enabled them to steal personal information from financial firms with thousands of employees and data from government agencies that handle data about millions of people.
In late July, Medicare reported that up to 600,000 patients might have had their data breached as part of the hack.