TIAA Swept Up in Infosys Breach
The data breach affected nearly 9,000 individuals at TIAA.
TIAA and TIAA Life, the life insurance arm of the retirement and investment provider, were swept up in a data breach that hit other providers, including T. Rowe Price and Vanguard, last year.
The breach reached 8,977 individuals in TIAA’s system, including 81 residents of Maine, according to a September 27 filing with the office of the Maine Attorney General. The breach was part of the hacking of Infosys McCamish Systems LLC, which occurred on October 29, 2023, and was discovered by the company just days later, on November 2, 2023.
“Infosys McCamish Systems notified TIAA that some TIAA and TIAA Life retail customers (not institutional plan participants) were impacted during McCamish’s November 2023 cybersecurity incident,” a TIAA spokesperson wrote in an email to PLANADVISER. “There was no involvement whatsoever of TIAA’s systems or recordkeeping platform. We have alerted those affected customers and IMS has secured Kroll’s services to provide identity monitoring services at no cost to them. Data security remains a top priority at TIAA.”
TIAA’s inclusion in the data breach further emphasizes the ripple effect an attack on a third-party provider can have. In 2023, a breach at data vendor MOVEit, owned by Progress Software Corp., exposed the data of some of the country’s largest recordkeepers, as well as university and state-run pension programs.
In last year’s breach, Infosys suffered hacking that impacted T. Rowe Price Retirement Plan Services and several other vendor clients, according to a notification filed with the Office of the Maine Attorney General on September 11, amending a June 27 filing.
The TIAA breach notification, submitted by Lou Senay, managing director of supervisory affairs at TIAA, to Maine’s attorney general, outlined that sensitive personal information such as names and other personal identifiers had been compromised. Although the full scope of the compromised data was not detailed, it was confirmed that the breach involved a system hack, heightening concerns over the protection of financial and personal information.
TIAA has notified those affected and is offering protection services to help safeguard against identity theft and other potential misuse of the breached information. For now, the breach affected fewer than 1,000 residents of Maine, so consumer reporting agencies have not been alerted.