Hackers steal social security numbers, birth dates and more on CalPERS, CalSTRS retirees

The California Public Employees’ Retirement System reported Wednesday that hackers stole the names, social security numbers, birth dates and other confidential information of roughly 769,000 retirees and beneficiaries, taking advantage of a vulnerability in a contracted vendor’s cybersecurity system.

“This external breach of information is inexcusable,” said CalPERS CEO Marcie Frost in a news release. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”

CalPERS is the largest pension system in the nation, with more than 2 million members and administering benefits to more than 1.5 million members and their families. CalSTRS, the nation’s second-largest, said Thursday it, too, was hacked through the same vendor, though it denied to offer specifics on who was affected.

“CalSTRS will provide notice to any members and beneficiaries whose personal information was involved in accordance with applicable law,” the West Sacramento-based system said. “This incident did not involve unauthorized access to CalSTRS’ network.”

In a Q&A posted on the agency’s website, CalPERS leaders said that all affected members are eligible to receive two years of free credit monitoring and identity restoration services through Experian. CalPERS mailed letters Thursday with the agency logo and a signed message from the CEO detailing what’s available and how to enroll.

Threat analyst Brett Callow of the cybersecurity firm Emsisoft said the hackers responsible for the attack claim that hundreds of businesses, government agencies and other entities worldwide were victims in the attack.

So far, Callow said, about 100 organizations have announced they had personal data stolen. In a report last week, the U.S. Department of Health and Human Services said that millions of Americans have been affected.

“The cost of this incident will be absolutely enormous,” Callow said. “A small town in Massachusetts called Lowell recently had to offer credit monitoring to its employees. That cost a million bucks. Now, Lowell has a population of just over 100,000, so that can’t be that many city employees.”

CalPERS public information officer Amy Morgan said it was too early to provide an estimate of the agency’s costs. The hackers also may have gotten the information on CalPERS members’ former or current employers, spouses or domestic partners, and children. All types of retirees are affected, whether they worked for the state, public agencies, school districts, in the courts or in the California legislature.

If you believe you were affected but don’t receive a letter by next week, you can call Experian at 833-919-4735 or email CalPERS at [email protected]. The phone line is staffed 6 a.m. to 8 p.m. Monday through Friday and 8 a.m. to 5 p.m. Saturday and Sunday. The line is closed on major holidays.

The agency notice said that a third-party vendor, PBI Research Services + Berwyn Group, had informed CalPERS of the breach on June 6 and that CalPERS moved swiftly to protect the security of its member accounts, rolling out new security protocols to protect member accounts.

CalSTRS said Thursday it was notified June 4, two days before CalPERS.

Retiree asks: What took CalPERS so long?

Randy Cheek, the legislative director of the Retired Public Employees Association, said he was livid that he and other affected members were not informed of this breach immediately. Cheek made a run for a seat on the 13-member CalPERS Board of Administration but lost to retired union chief Yvonne Walker last December.

“They found out about it two weeks ago ... and they’re just now saying something, and they’re gonna send letters out tomorrow,” he said. “On top of that, they didn’t even tell the bank because I just called Golden 1 (Credit Union) and they had no idea. I talked to their top security guy.”

Golden 1, Cheek said, holds accounts on hundreds of thousands of state employees, and it should have been alerted so they could enhance security.

When asked about the lag between learning about the hack and alerting members, CalPERS officials told The Sacramento Bee: “We needed to make sure we had all the facts and that our system was secure before alerting retirees. Our primary duty was and is to ensure the safety of all our member and retiree information.”

PBI, the third-party vendor, helps CalPERS to identify any members who have died, helping the agency to prevent overpayments or other errors. PBI also validates information on inactive members, helping CalPERS to assess who may be eligible for benefits soon.

CalPERS said that PBI was using a data transfer application called MoveIt Transfer, made by Progress Software, that organizations around the nation use to share data securely. The application boasts encryption, tracking and access controls for secure collaboration and automated transfers.

How did hackers get CalPERS data?

The hacker community discovered a critical vulnerability in the MoveIt Transfer software and a ransomware group known as Clop claimed to have exploited it before a patch was deployed, using malicious software code to gain unauthorized access to data not intended to be displayed, according to the notice on the CalPERS website.

Callow said that, as of Thursday morning, victims included 12 state or government entities in the U.S., eight public-sector agencies in other countries and six U.S. universities.

The news agency Cybersecurity Dive reported that at least two federal class-action suits have been filed against Progress Software so far, alleging negligence.

Because the MoveIt Transfer app is used by multiple hospitals, clinics and health insurance groups to share sensitive information such as medical records, bank records and social security numbers, the U.S. Department of Health and Human Services has kept tabs on vulnerabilities that could leave health care companies open to having data stolen or held for ransom.

In a dispatch last week, HHS said that local, state, and federal agencies reported June 15 that the Clop hack had compromised personal data on millions of U.S. citizens.

“Oregon and Louisiana transportation departments have warned millions of residents their identities are at risk after a cyberattack (June 15) stole names, addresses and social security numbers,” HHS officials wrote. “Two Department of Energy entities were among the impacted federal agencies. The education sector was also targeted; Johns Hopkins University in Baltimore and the university’s renowned health system said in a statement this week that sensitive personal and financial information, including health billing records may have been stolen in the hack. The University of Georgia school system is currently investigating the scope and severity of the hack.”

CalPERS officials stressed that their systems were not threatened or breached in this attack and that retirees’ money is secure. They recommended that, in addition to enrolling in credit monitoring services, retirees and beneficiaries regularly review and monitor their accounts and credit reports. If you suspect identity theft or fraud, agency officials said, contact the police.