CalPERS retirees sue vendor PBI over breach that exposed social security numbers, other data

Cathie Anderson
·4 min read
10

CalPERS pensioners David Berry and Bonnie Gayle Ng filed a lawsuit Friday in San Francisco federal court for damages they suffered as a result of a data breach that exposed their names, social security numbers, birth dates and other personally identifiable information.

The lawsuit seeks class-action status on behalf of all California residents whose data was stolen in May from PBI Research Services + Berwyn Group, alleging that the companies did not maintain reasonable security measures or adequately protect California residents’ privacy.

Both CalPERS and CalSTRS, the nation’s two largest public pension funds, contracted with PBI to identify retirees or beneficiaries who had died, helping them to prevent overpayments or other errors. PBI used a data transfer software called MoveIt, made by Progress Software, to securely exchange information with its clients.

In May, a ransomware group known as Clop or C10p discovered a flaw or vulnerability in the MoveIt software and punched through it, gaining access and foiling encryption protocols. Clop claimed to have stole information from hundreds of organizations around the world, and PBI is one of about 150 entities that have acknowledged being victims. Roughly 16 million people around the world are estimated to have had data compromised.

PBI, based in Minneapolis, did not reply to The Sacramento Bee’s request Monday for comment on the lawsuit. Its leaders posted a statement related to the breach. In part, it read: “At the end of May, Progress Software identified a cyberattack in their MOVEit software that did impact a small percentage of our clients who use the MOVEit administrative portal software resulting in access to private records. This incident did not gain access to PBI’s core systems or software. PBI promptly patched its instance of MOVEit, assembled a team of cybersecurity and privacy specialists, notified federal law enforcement, and contacted impacted clients.”

The pension funds announced the breaches on June 22, angering retirees who wanted to know why they waited so long to tell them that their confidential information was in the hands of hackers.

San Francisco-based attorneys Julie Erickson, Elizabeth Kramer and Kevin Osborne brought the lawsuit on behalf of Ng and Berry.

“PBI’s website heavily advertises itself as a secure host of personal information, claiming, ’protecting and securing your information is our highest priority,’” the attorneys stated in the lawsuit. “While long on promises, PBI fell tragically short of expectations in practice.”

CalSTRS said it learned June 4 that PBI had been affected by the MoveIt hack, and CalPERS said June 6. But it took several days before PBI confirmed that the pension funds’ data were among the files breached. In total, roughly 1.2 million retirees and beneficiaries had data stolen, according to figures reported by the two funds.

Lawsuit: PBI didn’t give enough detail on data breach

In the lawsuit, the attorneys cites CalPERS saying that PBI’s initial communication “did not provide sufficient detail as to the scope of the data that was impacted and the individuals to which that data belonged.”

Both pension funds told The Bee that they did their own investigations to determine which member accounts were compromised. CalSTRS said that PBI indicated that the hackers accessed the data between May 29 and May 30.

“A substantial majority of the funds’ pensioners are fixed-income seniors,” the lawsuit noted. “They are now prime targets cyberthreats. Their personal information is exposed in the dark corners of the internet because of PBI’s lax security.”

A cybersecurity expert told The Bee that a recent texting scam aimed at Golden 1 Credit Union account holders could be linked to the data stolen in the MoveIt software breach.

“Upon receiving news of the breach, pensioners were panicked,” the attorneys stated in the complaint. “Many immediately attempted to contact the funds to determine the source of the breach or request confirmation of the safety of their pensions. The nature of this incident has caused and will continue to cause them stress, anger, and fear for the safety of their identity and income.”

The lawsuit noted that the National Institute of Standards and Technology has found that hackers often steal data and hold it for use years or even decades down the road.. It costs about $30 a month to pay for identity protection, the attorneys said.

The plaintiffs are alleging that PBI was negligent and that it violated the California Consumer Privacy Act, the Customer Records Act, the California Constitution’s right to privacy and the Unfair Competition Law.