The California Public Employees’ Retirement System (CalPERS) reported Wednesday that hackers stole names, social security numbers, birth dates and other confidential information of roughly 769,000 retirees and beneficiaries.
The hackers were able to steal this information by taking advantage of a vulnerability in a contracted vendor’s cybersecurity system, according to a report by the Sacramento Bee.
“This external breach of information is inexcusable,” CalPERS CEO Marcie Frost said. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”
The hackers may have also obtained information on CalPERS members’ former or current employers, spouses or domestic partners, and children, the report added.
“A small town in Massachusetts called Lowell recently had to offer credit monitoring to its employees,” cybersecurity expert Brett Callow explained. “That cost a million bucks. Now, Lowell has a population of just over 100,000, so that can’t be that many city employees.”
Callow added that the victims include 12 state or government entities in the U.S., eight public-sector agencies in other countries, and six U.S. universities.
On its website, CalPERS added that all affected members are eligible to receive two years of free credit monitoring and identity restoration services via Experian.
Nonetheless, members appear to be furious over the matter. Randy Cheek, legislative director of the Retired Public Employees Association, told the Sacramento Bee that he was livid upon learning that he and others who were affected were not immediately told about it.
“They found out about it two weeks ago — and they’re just now saying something, and they’re gonna send letters out tomorrow,” Cheek said. “On top of that, they didn’t even tell the bank because I just called Golden 1 and they had no idea. I talked to their top security guy.”
Cheek explained that Golden 1 Credit Union holds the accounts for hundreds of thousands of state employees.
After being asked about what took so long to inform members that their information had been compromised, CalPERS told the Sacramento Bee, “We needed to make sure we had all the facts and that our system was secure before alerting retirees.”
“Our primary duty was and is to ensure the safety of all our member and retiree information,” CalPERS officials added.
Hackers were able to steal the information after finding a key vulnerability in the MoveIt Transfer software, according to the CalPERS website.
Meanwhile, a ransomware group called Clop said that it had exploited the vulnerability before a patch was established. Clop had reportedly used malicious software code to obtain access to data that was not supposed to be displayed.
You can follow Alana Mastrangelo on Facebook and Twitter at @ARmastrangelo, and on Instagram.
