Posted on 06/23/2023 6:39:46 PM PDT by george76
The vendor helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries..
The personal information of about 769,000 retired CalPERS members was exposed in a third-party data breach that was reported earlier this month. CalSTRS also said it was impacted by the breach and KCRA 3 is trying to learn how many of its members were impacted.
CalPERS, the California Public Employees' Retirement System, is the nation's largest public pension fund. It serves more than 2 million members in its retirement system and more than 1.5 million in its health program.
CalSTRS, the California State Teachers' Retirement System, is the second-largest public pension fund in the United States and the largest teachers' retirement system. It serves more than 947,000 members.
CalPERS first said in a release Wednesday that its third-party vendor PBI Research Services notified the agency on June 6 of a vulnerability with its MOVEit Transfer Application that has since been fixed.
PBI helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries.
The app’s vulnerability allowed data like first and last names, date of birth and social security numbers to be downloaded by an unauthorized third party, CalPERS said. The names of members’ family members could also have been accessed.
CalPERS said the breach did not impact its own information systems, myCalPERS or active members. It also does not affect members' monthly benefits payments.
...
But along with retired members and their families, the breach could have also impacted inactive members who soon become eligible for benefits, CalPERS said.
PBI said in a statement that it identified the vulnerability "at the end of May" and that it was "actively being exploited by cyber criminals."
"PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement and contacted potentially impacted clients," PBI said. "The cyber criminals did not gain access to PBI’s other systems – access was only gained to the MOVEit administrative portal subject to the vulnerability. PBI is working directly with impacted clients to identify impacted consumers and develop notice plans."
Thousands of other organizations have also been impacted by the breach, CalPERS said.
U.S. Department of Energy and other federal agencies were compromised, along with more than 9 million drivers in Oregon and Louisiana, Johns Hopkins University, the Ernst & Young accounting firm, the BBC and British Airways.
CalPERS said that on Thursday it will begin sending letters to impacted members about the breach and will offer them free Experian credit monitoring for two years.
It was not immediately clear if CalPERS has received reports of fraud in connection with the breach. KCRA 3 is also asking why the agency waited until this week to announce the breach.
"I felt just... flabbergasted that they didn’t say anything to anybody before this. We should have known. We should have been able to check our accounts," said Randy Cheek, legislative director for the Retired Public Employees' Association of California.
The AP reported that the criminal gang Cl0p, which is believed to be responsible for the hack, is extorting victims.
CalPERS members can email questions about the breach to PBIquestions@calpers.ca.gov or call 833-919-4735 Monday through Friday from 6 a.m. to 8 p.m. or Saturday and Sunday from 8 a.m. to 5 p.m.
CalPERS said that in response to the breach it is making new protocols for myCalPERS and safeguards for those who use the call center or who visit a regional office.
“This external breach of information is inexcusable,” CalPERS CEO Marcie Frost said in a statement. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”
Everyone should be pre-encrypting before using a service like MoveIt.
“Why did I rob CALPERS? Because that’s where the money is.”
Where’s grabem gruesome?
One of our friends who works for the state of California says it’s all state employees who’ve been breached. The state is just trying to slowly admit the damage.
How do you extort people receiving retirement benefits checks?
Can you explain that?
Without exception government ***** up every single thing it touches.
L
bkmk data breach
If you encrypt them before using a service like MoveIt, a breach of MoveIt doesn't cause any records to be breached, because they are all encrypted by another program and key.
PKZip, 7-Zip, and other free encryption programs easily do this.
PBI said in a statement that it identified the vulnerability “at the end of May” and that it was “actively being exploited by cyber criminals.”
It doesn’t sound like the data breach was due to uploaded files but by failed database management / encryption. How do you figure file transfer in the clear was the problem?
If your files are encypted before they are put into MoveIt (where MoveIt claims they encrypt things), they are already encrypted, either at rest, or in transit.
This is not rocket science.
What can’t you understand?
I would not be surprised if various US government agencies didn't have master keys to decrypt anything encrypted with common encryption products.
Still, it would be much safer to pre-encrypt.
Don’t send databases of customer data to another company, through software that promises they will encrypt everything they get (so don’t hassle with pre-encrypting, they say), because they can be breached and that breach bypasses all of their security, leaving your files in plaintext to be sorted through at their leisure.
California had billions in fraud during the illegal lockdown.
Gov. Gavin Newsom stole $1.6 billion. He said the money was to buy masks from a communist Chinese BUS company. No masks ever showed up.
I bet this money was his buy in for a run for president. He also took money for his companies called PPP loans. Millions he does not have to pay back.
Search on: California had billions in fraud
How much did California get from EDD fraud?
Analysis shows California EDD fraud at $32.6 billion and counting.Oct 6, 2022
______________________
California has paid out $114 billion in unemployment benefits. Nationally, 35% of unemployment applications are fraudulent
______________________
Nov 25, 2020 — California has likely paid up to $1 billion in fraudulent unemployment claims filed on behalf of prison and jail inmates.
______________________
They came into their riches by participating in what experts say is the theft of as much as $80 billion — or about 10 percent — of the $800 billion handed out in a Covid relief plan known as the Paycheck Protection Program, or PPP. That’s on top of the $90 billion to $400 billion believed to have been stolen from the $900 billion Covid unemployment relief program — at least half taken by international fraudsters — as NBC News reported last year. And another $80 billion potentially pilfered from a separate Covid disaster relief program.
https://www.nbcnews.com/politics/justice-department/biggest-fraud-generation-looting-covid-relief-program-known-ppp-n1279664
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.