Table of Contents
Data Breach at CalPERS and CalSTRS
The unanticipated vulnerability in one of the most crucial and high-profile entities of California came to light when the state's two biggest public pension funds, CalPERS (California Public Employees' Retirement System) and CalSTRS (California State Teachers Retirement System), faced a major data breach. The breach exposed the personal data of approximately 1.2 million retired members and their beneficiaries. Such a massive data leak poses a significant threat to the privacy and terms of service.
Extent of the Data Exposure
The exposed data was not only extensive but highly sensitive and personal in nature. It included critical details like names, social security numbers, and dates of birth. Moreover, zip codes and potential information related to employers, spouses, and dependents could also have been compromised. The vast scope of the data leak and the potential misuse of such crucial information underline the severity of the incident.
Nation’s Response and Expectations
The shocking revelation reported by The Sacramento Bee led to intense interactions, leading California Treasurer, Fiona Mahad, to pen a letter urging both organizations to provide further details about the breach. The recommendation sought an inclusivity aimed at sharing the current data security measures and protocols, elaborating on staff actions when the breach was signaled, and expatiating on the timeline of the breach. Fiona Mahad also emphasized the need for a special meeting to ensure that data security is given the right priority.
Retirees’ Concern About Data Security
There's growing concern among the retired personnel and beneficiaries affected by the breach. Retirees like Randy Cheek expressed dissatisfaction over how the pension funds handled the security breach, stating concerns over potential fraudulent activities using their known data. He, and others alike, pointed out that they should have been alerted sooner, as the delay could have potentially allowed the hackers to misuse the exposed data to access other financial accounts.
Source of Data Breach
The origin of the breach can be traced back to a fatal flaw in a contractor's cybersecurity system. The said system, belonging to third-party vendor PBI Research Services/Berwyn Group, who serves both CalPERS and CalSTRS to ensure accurate payments to retirees and members, was compromised due to a critical vulnerability. This breach implied a serious breach of trust, considering the data was sent and received in a supposedly safe, encrypted format.
Software Involved in Breach
At the heart of this breach is a software application known as the MOVEit Transfer. Operated by PBI Research Services/Berwyn Group, it played a fundamental role in the security lapse. As part of its service suite to pension funds, MOVEit Transfer was used to transfer sensitive member data securely. However, it turned out to be the weak link in their cybersecurity armor that the hackers exploited.
Timeline of the Data Breach
Early signs of the hack began surfacing in June 2023. The ransomware group C10p, also known as Clop, stated to have successfully infiltrated MoveIt secure file transfer, thus breaching data from several hundred global entities including businesses, government agencies, universities, etc. in the process. Around that period, PBI confirmed to CalPERS and CalSTRS about the unauthorized access of files in its MoveIt appliance, occurring between the dates of May 29 and May 30, 2023. A few days later, CalSTRS received official confirmation that its retiree and beneficiary data had been exposed, with CalPERS receiving similar news on June 9.
Implication of PBI in the Breach
PBI has been instrumental in identifying decease among CalPERS and CalSTRS members, thereby helping prevent erroneous overpayments. The extent of their involvement was highlighted by CalPERS Chief Executive Officer Marcie Frost, who noted that of the 26,000 deaths reported within CalPERS the previous year, 11,000 were identified through PBI. The data breach, therefore, not only jeopardizes personal information but also affect the administrative processes of these pension funds.
Steps to Mitigate Impact of Data Breach
Amid the aftermath of a data breach as massive as this one, repercussions may seem daunting. However, it's vital for affected individuals to take necessary measures immediately to protect themselves from any more potential harm.
Active Monitoring of Financial Accounts
Alert and thorough checking of financial statements naturally comes as the first line of defense. It includes sounding regular reviews of credit card, bank, and financial accounts, keeping an eye out for any suspicious or unsolicited transactions. Any irregular activity requires instant connection with the financial institution for further investigation.
Immediate Password Changes
One of the crucial steps is to change passwords for any and all online accounts that may share the one compromised in the breach. Opting for unique, robust passwords for each online account aids in keeping individual data safe from hackers.
Utilizing Credit Monitoring Services
In response to the security lapse, both CalPERS and CalSTRS are providing their affected members with two years of free credit monitoring and identity restoration services through Experian. These services allow real-time monitoring of their personal data and immediate detection of any unauthorized use.
Setting up Fraud Alerts
Another recommendable step is to set up fraud alerts or security freezes on credit reports. Registering these alerts with the major credit bureaus, Equifax, Experian, and TransUnion, can help prevent unauthorized accounts from getting opened in one's name. This preventive measure can be instrumental in guarding against additional harm from the breach.
Actions Post Receipt of Notifications
Upon receiving the notification from PBI, CalPERS, or CalSTRS, affected parties must use the included information to activate credit monitoring and identity theft protective services. These free-to-use services, valid for a minimum of 12 months, provide a method to monitor any subsequent misuse of the members' data. Vigilance towards reports from the credit monitoring service can enable swift action, including freezing credit or closing accounts if alerted about peculiar changes on the credit.
Additional Protection with ID Protection Tool
Beyond the immediate measures to protect against the direct impact of the data breach, it is beneficial to fortify one's overall online security structure using tools designed to shield personal data. One such tool is the ID Protection tool, intended to meet the challenges posed by data breaches and compromised personal data.
Data Exposure Check
The ID Protection tool enables users to see if their data, specifically their email address and phone number, have been exposed in a leak or are potentially vulnerable on the dark web. By giving users the means to check for such exposure, they can better understand and manage their online risk profile.
Social Media Account Monitoring Tool
Added to the feature lineup of ID Protection is the Social Media Account Monitoring tool. This aspect of the tool allows users to secure their social media accounts, thereby reinforcing another common point of data exposure. Moreover, it provides users with a personalized report, helping them keep track of their social media security status.
Suggested Strong Passwords
Effective password management is critical in maintaining online security, and the ID Protection tool aids in this vitally. It provides users with robust, highly secure password suggestions that are tough to hack, enhancing account security against intrusion attempts.
Secure Browsing Experience
Beyond personal accounts and data, the tool also contributes to a safer browsing experience overall. It actively checks websites and prevents trackers, thus empowering a more secure, private online navigation experience.
Mobile Identity Protection
On top of these features, there are also resources available such as the mobile app Safeguard My Identity. It serves as an additional layer of protection, ensuring users can enjoy security and control over their personal data on their mobile devices.
