California pension officials say the personal information of about 769,000 retired state employees and other beneficiaries — including Social Security numbers — was among the data stolen by Russian cybercriminals in breaking into a popular file transfer application.
The MOVEit program breach, which was discovered last month, is estimated by cybersecurity experts to have compromised hundreds of organizations worldwide. Confirmed victims include the US Department of Energy and several other federal agencies, more than 9 million motorists in Oregon and Louisiana, Johns Hopkins University, Ernst & Young, the BBC and British Airways.
The criminal gang behind the hack, known as Cl0p, extorted victims, threatening to dump their data online if they didn’t pay up.
The California Public Employees’ Retirement System said in a statement that a third-party vendor illegally used MOVEit to help it notify members of their deaths and validate payment eligibility.
“This external data breach is inexcusable,” CalPERS CEO Marcie Frost was quoted as saying. “Our members deserve better. As soon as we became aware of what was happening, we took swift action to protect the financial interests of our members, as well as measures to ensure long-term protections.
Security experts say that such so-called supply-chain hacks expose an uncomfortable truth about software organizations: Network security is only as strong as the weakest digital link in the ecosystem.
The stolen data includes names, dates of birth and Social Security numbers — and may also include the names of spouses or domestic partners and children, officials said. It identifies the vendor as PBI Research Services/Berwyn Group. CalPERS plans to send letters Thursday to those affected by the breach.
CalPERS said PBI notified it of the breach on June 6, the same day cybersecurity firms began issuing breach reports to MOVEit, whose developer Ipswitch is owned by Progress Software.
PBI reported the breach to federal law enforcement, and CalPERS has put in place “additional safeguards” to protect the information of retirees who use the member benefits website and visit a regional office, the officials said.
AP Technology Writer Frank Bajak contributed from Boston. Austin is a corps member for the Associated Press/Report for America Statehouse News Initiative. Report for America is a nonprofit national service program that places journalists in local newsrooms to report on undercover issues.
Copyright 2023 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or distributed.
Topics
Fraud in California
Interested in DECEPTION?
Get automatic alerts for this topic.
