As if CalPERS didn't have enough of a problem simply with incompetent portfolio management and an incessant need to play "catch up" to try and meet its fund's obligations, the nation's largest public pension fund is now dealing with a massive data breach.
CalPERS saw the personal information of 769,000 of its retired members exposed in a third-party breach earlier this month, KCRA reported this week. The fund serves more than 2 million members in its retirement system and 1.5 million in its health system, the report says.
The California State Teachers' Retirement System, the second largest pension fund in the U.S., also suffered from the breach. It has more than 947,000 members.
This week CalPERS said that its third party vendor, PBI Research Services, had notified it of a "vulnerability" with software used to identify member deaths and make sure payments are distributed correctly. It told CalPERS the issued had since been fixed.
The app contains identifying information, including full names, birth dates and social security numbers. This information was accessed by an "unauthorized third party" the report says, also noting that names of family members may have also been exposed.
The third party told CalPERS that it found the issue "at the end of May" and that it was "actively being exploited by cyber criminals."
In a statement, PBI said: "PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement and contacted potentially impacted clients. The cyber criminals did not gain access to PBI’s other systems – access was only gained to the MOVEit administrative portal subject to the vulnerability. PBI is working directly with impacted clients to identify impacted consumers and develop notice plans."
And it isn't just CalPERS that was affected: "thousands" of other organizations have also been impacted, the report says, including the U.S. Department of Energy and other federal agencies. Over 9 million drivers in Oregon and Louisiana, Johns Hopkins University, the Ernst & Young accounting firm were also exposed.
Randy Cheek, legislative director for the Retired Public Employees' Association of California, concluded: "I felt just... flabbergasted that they didn’t say anything to anybody before this. We should have known. We should have been able to check our accounts."
CalSTRS said in a statement: "This incident did not involve unauthorized access to CalSTRS' network. CalSTRS is working with PBI to identify the CalSTRS members whose information was involved in PBI’s incident. CalSTRS will provide notice to any members and beneficiaries whose personal information was involved in accordance with applicable law."