California State Teacher's Retirement System, West Sacramento, said it recently experienced a data breach involving PBI Research Services, affecting 415,000 participants and beneficiaries.
PBI Research Services, a third-party vendor that provides services to pension funds on confirming participants' deaths to ensure proper payments and prevent overpayments, is in the process of merging with Berwyn Group.
The $458.9 billion California Public Employees' Retirement System, Sacramento, also was recently hit by a similar breach of its participants' personal data, also involving PBI. That incident impacted the personal information of 769,000 retirees.
CalSTRS and PBI used a file transfer application hosted by PBI to transmit files containing member information for that purpose, the pension fund said in a notice on its website.
The breach impacted about 415,000 CalSTRS participants and beneficiaries, according to an emailed statement Monday from the $309.3 billion pension fund.
On June 4, PBI initially informed CalSTRS that its systems were involved in a "mass exploit of a vulnerability" in a secure file transfer system. On June 8, PBI confirmed that the incident involved files containing the personal information of some CalSTRS participants and beneficiaries.
Immediately afterward, CalSTRS started an investigation to identify the participants and beneficiaries whose information was involved in the hack. On June 16, CalSTRS determined that the breach included the names, Social Security numbers, birth dates and ZIP codes of some 415,000 CalSTRS participants and beneficiaries.
The participants and beneficiaries whose data were breached will receive letters identifying "resources available to them to help protect their personal information, as well as contact information for a dedicated call center staffed by trained representatives who can assist in answering questions about the incident," the statement added. Those letters will be mailed this week.
CalSTRS further said in the statement that it is "evaluating the relationship with PBI Research Services and security measures in place" and that is continues to work to "ensure that all of our service providers implement security measures that protect our members' information."
"Pension payments are not affected by this incident," CalSTRS added in the statement.
"CalSTRS is committed to ensuring the privacy and security of our members' personal information, and we know that members are concerned," said Cassandra Lichnock, chief executive officer, in the statement. "CalSTRS acted as quickly as possible to notify the members whose information was involved."
“Among many other entities including the federal government, state governments, universities, healthcare organizations, and corporations around the world, PBI Research Services was also impacted by the recent MOVEit cyberattack in late May,” a PBI spokeswoman said in an email. “PBI Research Services uses Progress Software’s MOVEit file transfer application with some of our clients. At the end of May, Progress Software identified a cyberattack in their MOVEit software that did impact a small percentage of our clients who use the MOVEit administrative portal software resulting in access to private records. This breach did not gain access to PBI’s core systems or software.”
The spokeswoman added: “PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement, and contacted impacted clients. Our clients’ and their customers’ privacy is our number one priority and PBI is working diligently with our clients to notify and support impacted individuals.”
Regarding affected participants, the PBI spokeswoman said the company will not be “commenting client-specific situations, but has contacted those who were impacted.”
