NOWCAST KCRA 3 News at 8am
Watch on Demand
Advertisement

Massive data breach impacts CalPERS and CalSTRS, the nation’s biggest public pensions funds

The vendor helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries.
Daniel Macht
Digital Media Manager
Lysée Mitri
Investigative Reporter
Massive data breach impacts CalPERS and CalSTRS, the nation’s biggest public pensions funds

The vendor helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries.

KCRA THREE NEWS. THANKS, LIANE. WELL, HUNDREDS OF THOUSANDS OF RETIREES HAVE HAD THEIR PERSONAL INFORMATION LEAKED AFTER A MASSIVE DATA BREACH CASE WAS DISCOVERED THAT IT’S IMPACTED MEMBERS OF TWO OF THE LARGEST PUBLIC PENSION FUNDS IN THE NATION. AND SOME OF THOSE MEMBERS SAY THEY SHOULD HAVE BEEN NOTIFIED SOONER. WHY WEREN’T WE TOLD? WHY WEREN’T WE GIVEN A HEADS UP? WELL, ALL KINDS OF PERSONAL DATA WAS STOLEN IN THIS BREACH. YES, A LOT OF INFORMATION. THREE LYSEE MITRI JOINS US LIVE WITH WHAT HAPPENED AND HOW EACH STATE AGENCY IS NOW RESPONDING. LIZZY. LISA, CYBER CRIMINALS HAD ACCESS TO SENSITIVE INFORMATION LIKE SOCIAL SECURITY NUMBERS IN THIS WORLDWIDE DATA BREACH INVOLVING A THIRD PARTY COMPANY THAT BOTH THE CALIFORNIA STATE TEACHERS RETIREMENT RETIREMENT SYSTEM AND THE CALIFORNIA PUBLIC EMPLOYEES RETIREMENT SYSTEM HAVE BEEN CONTRACTING WITH WITH ROUGHLY 2 MILLION STATE SCHOOL AND PUBLIC AGENCY MEMBERS, THE CALIFORNIA PUBLIC EMPLOYEES RETIREMENT SYSTEM, OR CALPERS, IS THE LARGEST PUBLIC PENSION FUND IN THE NATION. AND. ABOUT 769,000 OF THEIR RETIREES AND BENEFICIARIES ARE NOW LEARNING THEIR NAMES, BIRTHDATES AND SOCIAL SECURITY NUMBERS COULD BE IN THE HANDS OF CYBER CRIMINALS AFTER A DATA BREACH OF A THIRD PARTY VENDOR, PBI RESEARCH SERVICES. WE USE AN OUTSIDE VENDOR IN THIS PARTICULAR CASE TO VERIFY THE STATUS OF OUR RETIREES AND WHETHER RETIREES HAVE PASSED AWAY, BECAUSE IF THEY HAVE PASSED AWAY, WE WANT TO MAKE SURE THAT THEIR BENEFICIAL IIS HAVE WHAT THEY NEED. WE WANT TO MAKE THE SYSTEM REFLECT THE RIGHT PAYMENTS. THAT VENDOR TELLS KCRA DISCOVERED A VULNERABILITY IN ITS SOFTWARE WAS BEING EXPLOITED AT THE END OF MAY. IT FIXED IT AND NOTIFIED CLIENTS LIKE CALPERS. ON JUNE 6TH. WE HEARD THAT WE MIGHT HAVE HAD A VULNERABILITY. ON JUNE 9TH. WE WERE TOLD THERE WAS A VULNERABILITY AND WE MOVED INTO ACTION AS FAST AS WE COULD FROM THERE. BUT THE PUBLIC AND RETIREES LIKE RANDY CHEEK DIDN’T FIND OUT UNTIL YESTERDAY. TWO WEEKS LATER, I FELT THAT THIS WAS JUST, I MEAN, FLABBERGASTED THAT THEY DIDN’T SAY ANYTHING TO ANYBODY BEFORE THIS. WE SHOULD HAVE KNOWN. WE SHOULD HAVE BEEN ABLE TO CHECK OUR ACCOUNTS. CHEEK IS THE LEGISLATIVE DIRECTOR FOR THE RETIRED PUBLIC EMPLOYEES ASSOCIATION OF CALIFORNIA. AND RAN UNSUCCESSFULLY LAST YEAR FOR A SEAT ON THE CALPERS BOARD OF ADMINISTRATION. WHY WEREN’T WE TOLD SOONER? WE SHOULD HAVE BEEN TOLD SOONER. WE ASKED CALPERS. WE’VE BEEN MAKING SURE THAT ALL OF OUR INFORMATION SYSTEMS WERE SECURE AND WE WANTED TO GET THE RIGHT INFORMATION AS FAST AS WE COULD TO THE RETIREES. IT WAS IMPORTANT THAT WE GOT THEM THE INFORMATION THEY NEEDED WHILE LOOKING INTO CALPERS, KCRA ALSO REACHED OUT TO THE NATION’S SECOND LARGEST PUBLIC PENSION FUND, THE CALIFORNIA STATE TEACHERS RETIREMENT SYSTEM, AND LEARNED WHILE THEY DID NOT PUBLISH A NEWS RELEASE LIKE CALPERS, THEY ALSO CONTRACT WITH PBI AND ARE TRYING TO IDENTIFY MEMBERS WHO’S INFORMATION WAS COMPROMISED AND THEY DIDN’T RESPOND. WHEN WE ASKED HOW MANY PEOPLE WERE IMPACTED OR IF THEY’LL CONTINUE TO USE THAT THIRD PARTY COMPANY WHILE CALPERS SAYS THAT IS SOMETHING THAT THEY ARE REEVALUATE AND IN THE MEANTIME, THEY WILL NOT BE SHARING INFORMATION WITH THAT COMPANY LIVE HERE IN SACRAMENTO, LYSEE MITRI KCRA THREE NEWS. JOSE, THANK YOU. AND CALPERS SAYS IT’S WORKING TO NOTIFY VICTIMS WHO WILL GET FREE ACCESS TO CREDIT MONITORING THROUGH EXPERIAN FOR TWO YEARS. ANYONE WITH QUESTIONS CAN ALSO VISIT THE CALPERS WEBSI
Advertisement
Massive data breach impacts CalPERS and CalSTRS, the nation’s biggest public pensions funds

The vendor helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries.
Daniel Macht
Digital Media Manager
Lysée Mitri
Investigative Reporter
The personal information of about 769,000 retired CalPERS members was exposed in a third-party data breach that was reported earlier this month. CalSTRS said 415,000 of its members and beneficiaries were impacted by the breach.CalPERS, the California Public Employees' Retirement System, is the nation's largest public pension fund. It serves more than 2 million members in its retirement system and more than 1.5 million in its health program.CalSTRS, the California State Teachers' Retirement System, is the second-largest public pension fund in the United States and the largest teachers' retirement system. It serves more than 947,000 members. CalPERS first said in a release Wednesday that its third-party vendor, PBI Research Services, notified the agency on June 6 of a vulnerability with its MOVEit Transfer Application that has since been fixed. PBI helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries. The app’s vulnerability allowed data like first and last names, date of birth and Social Security numbers to be downloaded by an unauthorized third party, CalPERS said. The names of members’ family members could also have been accessed. CalPERS said the breach did not impact its own information systems, myCalPERS or active members. It also does not affect members' monthly benefits payments. But along with retired members and their families, the breach could have also impacted inactive members who soon become eligible for benefits, CalPERS said. PBI said in a statement that it identified the vulnerability "at the end of May" and that it was "actively being exploited by cyber criminals." "PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement and contacted potentially impacted clients," PBI said. "The cyber criminals did not gain access to PBI’s other systems – access was only gained to the MOVEit administrative portal subject to the vulnerability. PBI is working directly with impacted clients to identify impacted consumers and develop notice plans."Thousands of other organizations have also been impacted by the breach, CalPERS said.According to The Associated Press, the U.S. Department of Energy and other federal agencies were compromised, along with more than 9 million drivers in Oregon and Louisiana, Johns Hopkins University, the Ernst & Young accounting firm, the BBC and British Airways. CalPERS said that on Thursday, it will begin sending letters to impacted members about the breach and will offer them free Experian credit monitoring for two years. It was not immediately clear if CalPERS has received reports of fraud in connection with the breach. KCRA 3 is also asking why the agency waited until this week to announce the breach. "I felt just-- flabbergasted that they didn’t say anything to anybody before this. We should have known. We should have been able to check our accounts," said Randy Cheek, legislative director for the Retired Public Employees' Association of California. The AP reported that the criminal gang Cl0p, which is believed to be responsible for the hack, is extorting victims. CalPERS members can email questions about the breach to PBIquestions@calpers.ca.gov or call 833-919-4735 Monday through Friday from 6 a.m. to 8 p.m. or Saturday and Sunday from 8 a.m. to 5 p.m. CalPERS said that in response to the breach, it is making new protocols for myCalPERS and safeguards for those who use the call center or who visit a regional office. “This external breach of information is inexcusable,” CalPERS CEO Marcie Frost said in a statement. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”On Thursday, CalSTRS confirmed it was also impacted when asked by KCRA 3. The system said it was informed on June 4 that PBI's systems were exploited. On June 8, it was told the breach contained the personal information of some of its members. "This incident did not involve unauthorized access to CalSTRS' network," CalSTRS said. "CalSTRS is working with PBI to identify the CalSTRS members whose information was involved in PBI’s incident. CalSTRS will provide notice to any members and beneficiaries whose personal information was involved in accordance with applicable law."CalSTRS, in a Friday email, said that the names, Social Security numbers, dates of birth and ZIP codes of 415,000 members and their beneficiaries were released by the breach. Those affected were sent a letter identifying resources available to help protect private information."CalSTRS is evaluating the relationship with PBI Research Services and security measures in place," the agency said. "PBI has informed CalSTRS that it applied the recommended patches to its file transfer system and taken the recommended mitigation steps. CalSTRS continues to work to ensure that all of our service providers implement security measures that protect our members’ information."

The personal information of about 769,000 retired CalPERS members was exposed in a third-party data breach that was reported earlier this month. CalSTRS said 415,000 of its members and beneficiaries were impacted by the breach.

CalPERS, the California Public Employees' Retirement System, is the nation's largest public pension fund. It serves more than 2 million members in its retirement system and more than 1.5 million in its health program.

Advertisement

CalSTRS, the California State Teachers' Retirement System, is the second-largest public pension fund in the United States and the largest teachers' retirement system. It serves more than 947,000 members.

CalPERS first said in a release Wednesday that its third-party vendor, PBI Research Services, notified the agency on June 6 of a vulnerability with its MOVEit Transfer Application that has since been fixed.

PBI helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries.

The app’s vulnerability allowed data like first and last names, date of birth and Social Security numbers to be downloaded by an unauthorized third party, CalPERS said. The names of members’ family members could also have been accessed.

CalPERS said the breach did not impact its own information systems, myCalPERS or active members. It also does not affect members' monthly benefits payments.

But along with retired members and their families, the breach could have also impacted inactive members who soon become eligible for benefits, CalPERS said.

PBI said in a statement that it identified the vulnerability "at the end of May" and that it was "actively being exploited by cyber criminals."

"PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement and contacted potentially impacted clients," PBI said. "The cyber criminals did not gain access to PBI’s other systems – access was only gained to the MOVEit administrative portal subject to the vulnerability. PBI is working directly with impacted clients to identify impacted consumers and develop notice plans."

Thousands of other organizations have also been impacted by the breach, CalPERS said.

According to The Associated Press, the U.S. Department of Energy and other federal agencies were compromised, along with more than 9 million drivers in Oregon and Louisiana, Johns Hopkins University, the Ernst & Young accounting firm, the BBC and British Airways.

CalPERS said that on Thursday, it will begin sending letters to impacted members about the breach and will offer them free Experian credit monitoring for two years.

It was not immediately clear if CalPERS has received reports of fraud in connection with the breach. KCRA 3 is also asking why the agency waited until this week to announce the breach.

"I felt just-- flabbergasted that they didn’t say anything to anybody before this. We should have known. We should have been able to check our accounts," said Randy Cheek, legislative director for the Retired Public Employees' Association of California.

The AP reported that the criminal gang Cl0p, which is believed to be responsible for the hack, is extorting victims.

CalPERS members can email questions about the breach to PBIquestions@calpers.ca.gov or call 833-919-4735 Monday through Friday from 6 a.m. to 8 p.m. or Saturday and Sunday from 8 a.m. to 5 p.m.

CalPERS said that in response to the breach, it is making new protocols for myCalPERS and safeguards for those who use the call center or who visit a regional office.

“This external breach of information is inexcusable,” CalPERS CEO Marcie Frost said in a statement. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”

On Thursday, CalSTRS confirmed it was also impacted when asked by KCRA 3. The system said it was informed on June 4 that PBI's systems were exploited. On June 8, it was told the breach contained the personal information of some of its members.

"This incident did not involve unauthorized access to CalSTRS' network," CalSTRS said. "CalSTRS is working with PBI to identify the CalSTRS members whose information was involved in PBI’s incident. CalSTRS will provide notice to any members and beneficiaries whose personal information was involved in accordance with applicable law."

CalSTRS, in a Friday email, said that the names, Social Security numbers, dates of birth and ZIP codes of 415,000 members and their beneficiaries were released by the breach. Those affected were sent a letter identifying resources available to help protect private information.

"CalSTRS is evaluating the relationship with PBI Research Services and security measures in place," the agency said. "PBI has informed CalSTRS that it applied the recommended patches to its file transfer system and taken the recommended mitigation steps. CalSTRS continues to work to ensure that all of our service providers implement security measures that protect our members’ information."

Top Picks

Man shares story of survival after being bitten by Caribbean reef sharks in Bahamas
Law student overcomes malaria, father's death to graduate as valedictorian
Rossen roundup: Top consumer stories from the past week
Doorbell camera captures 5 bears roaming on front porch in South Carolina