Sacramento, California– California pension officials say the personal information of nearly 769,000 retired state employees and other beneficiaries — including Social Security numbers — was among the data stolen by Russian cybercriminals in a breach of a popular file-transfer application.
They said they are offering two years of free credit monitoring to affected members.
The breach of the MOVEit program, discovered last month, is estimated by cyber security experts to have compromised hundreds of organizations globally. Confirmed victims include the US Department of Energy and several other federal agencies, more than 9 million motorists in Oregon and Louisiana, Johns Hopkins University, Ernst. & Young, BBC and British Airways.
The criminal gang behind the hack, known as CL0P, has been extorting victims and threatening to dump their data online if they do not pay.
The California Public Employees’ Retirement System said in a statement that the breach involved a third-party vendor that used MOVEit to notify of member deaths and help validate payment eligibility.
“This outlandish breach of information is inexcusable,” Calpers CEO Marcy Frost was quoted as saying. “Our members deserve better. As soon as we became aware of what happened, we took prompt action to protect our members’ financial interests, while also taking steps to ensure long-term security.”
Security experts say such so-called supply-chain hacks highlight an uncomfortable truth about software organizations: Network security is only as strong as the weakest digital link in the ecosystem.
Officials said the stolen data includes names, dates of birth and Social Security numbers — and may also include the names of spouses or domestic partners and children. It identified the seller as PBI Research Services/Berwin Group. CalPERS plans to send letters Thursday to those affected by the breach.
CalPERS said the PBI notified it of the breach on June 6, the same day cybersecurity firms began releasing reports on the breach by MOVEit, whose maker Ipswitch is owned by Progress Software.
Officials said the PBI reported the breach to federal law enforcement, and Calpers put “additional safeguards” in place to protect the information of retirees who use the member benefits website and visit a regional office.
,
AP Technology Writer Frank Bajak contributed from Boston.
,
Sophie Austin is a core member of The Associated Press/Report for America Statehouse News Initiative. Report for America is a non-profit national service program that places journalists in local newsrooms to report on undercover issues. Follow Austin on Twitter: @sophieadanna
