By SOPHIE AUSTIN and FRANK BAJAK | Associated Press
The personal information of approximately 769,000 retired California employees and beneficiaries, including Social Security numbers, has been stolen by Russian cybercriminals through a breach of a popular file-transfer application, according to the country’s largest public pension fund.
California Public Employees Retirement System (CalPERS) attributed the breach to a third-party vendor responsible for verifying deaths. Interestingly, the same vendor, PBI Research Services/Berwyn Group, also suffered another data breach from the same group of cybercriminals, resulting in the loss of personal data belonging to at least 2.5 million Genworth Financial policyholders, which also included Social Security numbers.
In response to the breach, CalPERS announced that affected members will receive two years of free credit monitoring, while Genworth stated that it will provide credit monitoring and Identity Theft protection.
The breach of the MOVEit file-transfer program, which was discovered last month, is estimated to have impacted hundreds of organizations worldwide, causing cybersecurity experts to raise concerns. Some of the confirmed victims include the U.S. Department of Energy, multiple federal agencies, more than 9 million motorists in Oregon and Louisiana, Johns Hopkins University, Ernst & Young, the BBC, and British Airways.
The criminal group responsible for the hack, known as Cl0p, has been extorting victims, threatening to publicly release their data if they refuse to pay the ransom.
In a filing with the Securities and Exchange Commission, Genworth disclosed the hack on the MOVEit instance managed by PBI Research.
PBI Research, based in Minnesota, has not provided details on which other customers may have been affected by the breach. However, the company’s website lists public pension funds from Nevada, New Jersey, and Tennessee as customers of its mortality verification service.
Expressing her dismay, CalPERS CEO Marcie Frost stated, “This external breach of information is inexcusable. Our members deserve better. As soon as we learned about the incident, we swiftly took action to protect the financial interests of our members and implemented measures for long-term security.”
CalPERS, which possesses assets worth over $442 billion, serves approximately 1.5 million members.
Experts in cybersecurity emphasize that supply-chain hacks, like the one seen here, bring attention to a disturbing fact about the software organizations utilize: the strength of network security is directly influenced by the weakest digital link in the system.
The stolen data encompasses names, birth dates, and Social Security numbers. Additionally, it may also include information about spouses, domestic partners, and children. CalPERS intends to communicate with those affected by the breach through letters, which are scheduled to be sent on Thursday.
CalPERS received notification from PBI about the breach on June 6, coinciding with the release of reports by cybersecurity firms regarding the MOVEit breach. Ipswitch, the maker of MOVEit, is owned by Progress Software.
PBI promptly reported the breach to federal law enforcement, and CalPERS has implemented “additional safeguards” to protect the information of retirees who use the member benefits website and visit regional offices. However, specific details about these safeguards have not been disclosed due to security concerns.
___
Bajak reported from Boston.
___
Sophie Austin is a corps member for the Associated Press/Report for America Statehouse News Initiative. Report for America is a nonprofit national service program that places journalists in local newsrooms to report on undercovered issues. For updates from Sophie Austin, follow her on Twitter: @sophieadanna
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
