On June 6, 2023, CalPERS, the largest public pension fund in the United States, was notified by its third-party vendor PBI Research Services (“PBI”) that PBI was exploited by a ransomware group called Cl0p and had suffered a data breach that exposed the personal information of about 769,000 retirees and beneficiaries receiving benefits from CalPERS.
The breach was caused by a vulnerability in the MOVEit Transfer Application, a file transfer system used by PBI to communicate with CalPERS.
PBI is a vendor that helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries.
This was a known software flaw, as Cl0p has claimed to have breached hundreds of companies by exploiting the same flaw. But neither CalPERS or PBI had timely fixed the flaw, even though by contract and law PBI is required to protect such personal information from exfiltration.
“This external breach of information is inexcusable. Our members deserve better,” said CalPERS Chief Executive Officer Marcie Frost in a formal press release issued by CalPERS.
CalPERS has stressed its own systems were not compromised and that the data breach would not impact members’ payments and retirement benefits. However, it advised members to be vigilant for any signs of identity theft or fraud and to report any suspicious activity to their financial institutions and credit bureaus.
Direct notice of this data breach should be sent out shortly to affected persons.
What data was compromised and who was affected?
According to CalPERS, the data downloaded by Cl0p included:
- First and last name
- Date of birth
- Social security number
- In some cases, names of former or current employers, spouses or domestic partners, and children.
The data breach affected anyone who was receiving an ongoing monthly benefit payment from CalPERS as of Spring 2023. This includes retirees from the State, public agencies, school districts, and retirees of the Judges’ Retirement System and Legislators’ Retirement System.
How did CalPERS respond?
CalPERS claims it took immediate action “to protect our members’ financial interests, as well as to ensure long-term protections.”
While too late to stop this attack, CalPERS claims It implemented new security protocols to safeguard member accounts and has contacted law enforcement authorities to investigate the incident.
CalPERS has also offered two years of free credit monitoring and identity restoration services through Experian to all affected members.
CalPERS has set up a dedicated page on its website for members who might have additional questions. Members can visit calpers.ca.gov/page/home/pbi or they can send questions by email to PBIquestions@calpers.ca.gov. They can also call 833-919-4735, Monday through Friday, 6:00 a.m. to 8:00 p.m. PT and Saturday and Sunday, 8:00 a.m. to 5:00 p.m. PT (excluding major holidays).
What is MOVEit and how was it exploited?
MOVEit is a supposedly secure file transfer system that allows organizations to exchange sensitive data with external parties. The vulnerability allowed attackers to execute an arbitrary code on the server hosting the application to access any files stored there.
This software was developed by Progress Software Corporation, which disclosed a zero-day vulnerability in its MOVEit Transfer Application on May 4, 2023.
This vulnerability was allegedly patched by Progress on May 18, 2023, but many organizations failed to apply the update in time, including CalPERS and PBI.
Cl0p, a ransomware group that operates under the Ransomware-as-a-Service (RaaS) model, took advantage of the MOVEit flaw and breached PBI’s system on June 6, 2023. Cl0p uses a “double-extortion” technique of stealing and encrypting victim data, refusing to restore access, and publishing exfiltrated data on its dark web site if the ransom is not paid.
It is not clear if CalPERS or PBI has made a ransom payment at this time.
Cl0p has similar published data from other victims of the MOVEit exploit such as Shell Global, Telos, Norton LifeLock, and Wilton Re.
What can you do to protect yourself?
If you are a CalPERS retiree or beneficiary who was affected by the data breach, you should take the following steps:
- Enroll in the free credit monitoring and identity restoration services offered by Experian. You should receive a letter from CalPERS with instructions on how to do so. If you have not received a letter, you can call 833-919-4735 for more information.
- Review your credit reports for any unauthorized accounts or inquiries. You can get a free copy of your credit report from each of the three major credit bureaus (Equifax, Experian, and TransUnion) once a year at www.annualcreditreport.com (official site).
- Place a fraud alert or a credit freeze on your credit files. A fraud alert notifies potential creditors that you may be a victim of identity theft and requires them to verify your identity before opening any new accounts in your name. A credit freeze blocks access to your credit files altogether unless you lift it with a PIN or password. You can place a fraud alert or a credit freeze by contacting any of the three credit bureaus.
- Monitor your bank accounts and credit card statements for any unusual transactions or charges. Report any suspicious activity to your financial institution immediately.
- Change your passwords and enable multi or two-factor authentication for your online accounts, especially those that contain sensitive information or are linked to your financial services.
- Use strong and unique passwords for each account and avoid using the same password for multiple sites.
- Be wary of any phishing emails, phone calls, or text messages that claim to be from CalPERS, PBI, or other legitimate organizations and ask for your personal or financial information.
- Do not click on any links or attachments or provide any information unless you are sure of the sender’s identity and legitimacy. If you are unsure, contact the organization directly using a verified phone number or email address.
What Are Your Legal Options?
California laws specifically protect the personal information of California residents who may have been subject to this data breach.
- The California Customer Records Act requires businesses to implement and maintain reasonable security procedures and practices to protect consumers’ personal information.
- In 2018, California passed the California Consumer Privacy Act (CCPA). This law has many protections for the personal information of California residents.
- The Confidential Medical Information Act (CMIA) also protects confidential health-related information, depending on the materials that were accessed accessed. It is unclear at this time whether the information hacked violated that law. The CMIA defines “medical information” to mean any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or has any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or other information that reveals the individual’s identity.
Consumers residing in California may be entitled to between $100 and $1,000 or your actual damages, whichever is greater, depending on which of these laws are violated.
Participants in data breach lawsuits can recover damages, injunctive relief (to ensure that businesses like PBI and its supervising entity CalPERS) has reasonable security practices to protect consumer data from being leaked again), and anything else necessary to compensate data breach victims and prevent these harms from occurring again.