CalPERS, CalSTRS Hit By Third-Party Cybersecurity Breach

The public employee retirement systems are working to notify people with exposed accounts. 

The California Public Employees’ Retirement System, which serves state employees in California and is the largest pension fund in the U.S., and the California State Teachers Retirement System, the public pension fund serving California teachers, were among the public and private sector institutions affected by a major data breach.

In a statement last week, CalSTRS said, “On June 4, 2023, a CalSTRS vendor, PBI Research Services, advised us that its systems were involved in the recent mass exploit of a vulnerability in the MOVEit secure file transfer system. This incident did not involve unauthorized access to CalSTRS’ network. CalSTRS is working with PBI to identify the CalSTRS members whose information was involved in PBI’s incident. CalSTRS will provide notice to any members and beneficiaries whose personal information was involved in accordance with applicable law.”

Never miss a story — sign up for PLANADVISER newsletters to keep up on the latest retirement plan adviser news.

According to published reports, other affected organizations include Genworth Financial, a Virginia-based life insurance services provider, and Wilton Re, a New York-based insurance provider. In all, the security breach at PBI Research Services, which recently merged with The Berwyn Group, impacted the personal information of approximately 769,000 members, according to CalPERS’ Tuesday communication to its retired members and their families.

PBI provides services to CalPERS to identify member deaths, and these services ensure that proper payments are made to retirees and beneficiaries and prevent instances of overpayments or other errors. The security incident did not impact information systems operated by CalPERS, according to the press release.

Retirees and beneficiaries with impacted personal information are being contacted by mail with information on how to take additional steps to protect their information, and CalPERS offered free credit monitoring for two years.

In addition, PBI notified CalPERS that retired member files were impacted as well. Some of those include inactive members who may soon become eligible for benefits.

PBI has reported the incident to federal law enforcement and has told CalPERS it has “resolved the vulnerability,” while also adding additional security measures. According to a press release, CalPERS has added new protocols on its member benefits website, myCalPERS, as well as additional safeguards for those who use the member contact center and those who visit any CalPERS regional office.

«