Massive Data Breach Hits California Public Pension Funds, CalPERS and CalSTRS

LI 165 CalPERS

by Leslie Eastman at

The breach was associated with the MOVEit Transfer app, which is used by thousands of organizations worldwide that were also impacted by the incident.

California’s two top public pension funds, the largest in the nation, were stuck by a massive data breach, allowing hackers to download such data as names, birthdates, and Social Security numbers.

The personal information of about 769,000 retired CalPERS members was exposed in a third-party data breach that was reported earlier this month. CalSTRS said 415,000 of its members and beneficiaries were impacted by the breach.

CalPERS, the California Public Employees’ Retirement System, is the nation’s largest public pension fund. It serves more than 2 million members in its retirement system and more than 1.5 million in its health program.

CalSTRS, the California State Teachers’ Retirement System, is the second-largest public pension fund in the United States and the largest teachers’ retirement system. It serves more than 947,000 members.

CalPERS first said in a release Wednesday that its third-party vendor, PBI Research Services, notified the agency on June 6 of a vulnerability with its MOVEit Transfer Application that has since been fixed.

PBI helps CalPERS identify member deaths and make sure that correct payments go to retirees and their beneficiaries.

CalPERS officials respond that they will offer free credit monitoring to impacted members. This is likely to be a very costly solution for the organization.

In a Q&A posted on the agency’s website, CalPERS leaders said that all affected members are eligible to receive two years of free credit monitoring and identity restoration services through Experian. CalPERS mailed letters Thursday with the agency logo and a signed message from the CEO detailing what’s available and how to enroll.

Threat analyst Brett Callow of the cybersecurity firm Emsisoft said the hackers responsible for the attack claim that hundreds of businesses, government agencies and other entities worldwide were victims in the attack.

So far, Callow said, about 100 organizations have announced they had personal data stolen. In a report last week, the U.S. Department of Health and Human Services said that millions of Americans have been affected.

“The cost of this incident will be absolutely enormous,” Callow said. “A small town in Massachusetts called Lowell recently had to offer credit monitoring to its employees. That cost a million bucks. Now, Lowell has a population of just over 100,000, so that can’t be that many city employees.”


Leave a Reply