What CalSTRS, CalPERS did in days after learning hackers had stolen retirees’ personal info

The leaders of CalPERS and CalSTRS, the nation’s two largest public pension funds, provided more details about their actions after they were notified that a data breach had exposed personal information on a combined 1.2 million government retirees and beneficiaries.

The two agencies shared the information after The Sacramento Bee reported Wednesday that California Treasurer Fiona Ma had sent them a letter, urging them to call a special meeting to detail the timeline for the breach, expand upon staff actions after the breach was detected, and share current data security measures and protocols.

In conversations with Ma, both CalPERS and CalSTRS agreed to schedule updates on the data breach when their boards conduct off-site meetings in July.

“Ultimately, the treasurer wants to ensure that CalPERS and CalSTRS members — particularly the retirees and beneficiaries affected — continue to receive updates in a timely manner and are provided all the information they need to protect themselves from fraudulent activity,” said Joe DeAnda, communications director for the State Treasurer’s Office, “and that both organizations have the controls and procedures in place to prevent this type of breach in the future. She’s confident CalPERS and CalSTRS share these goals.”

Retiree Randy Cheek and others told The Bee that they remain deeply troubled by how the pension funds handled the breach. They said they should have been alerted sooner and that the delay in doing so could have given the hackers time to use their identifying information to access retirees’ other financial accounts.

The first inkling of PBI hack came in early June

The first hint that there could be a cybersecurity threat came June 4 for the staff at the California State Teachers Retirement System and June 6 at the California Public Employees Retirement System. That’s when both agencies got word from a vendor, PBI Research Services, that a hacker had punched through a weakness in the software code of a data transfer platform it used to securely share information.

The ransomware group Clop, or C10p, claimed to have infiltrated the MoveIt secure file transfer, a product of Progress Software, and stolen information from hundreds of government agencies, universities, businesses and other entities around the world. So far, Emsisoft threat analyst Brett Callow said, 148 organizations have acknowledged they had information compromised in the MoveIt attacks.

It the initial contact with CalSTRS, PBI said that it didn’t yet know whether the pension fund’s data had been compromised but that “an unauthorized actor accessed files contained in its MoveIt appliance between May 29, 2023, and May 30, 2023,” said CalSTRS spokesman Thomas Lawrence. CalPERS officials got a similar message about their data a few days later.

PBI has helped CalPERS and CalSTRS perform a crucial fiduciary duty, identifying any members who have died, thereby preventing overpayments and other errors.

“Of the 26,000 deaths in (CalPERS) last year, 11,000 of those came through this … vendor,” said CalPERS Chief Executive Officer Marcie Frost. “Those are 11,000 deaths that had not been communicated to CalPERS.”

Frost said it was June 9 when PBI confirmed that the incident involved files containing the personal information of some CalPERS retirees and beneficiaries. CalSTRS got confirmation a day earlier that its data had been exposed.

CalSTRS, CalPERS raced to secure data before going public

Both STRS and PERS immediately launched investigations, asking that PBI return the files. Frost brought in her team on June 10 to formulate plans for member notification and, given what data was stolen, to ensure member accounts in the myCalPERS self-service system couldn’t be breached.

CalPERS members use that system to do things such as enter their banking information and direct where their pension checks should be deposited, Frost said.

“Between June 10 and June 20, we instituted the myCalPERS system changes that needed to be put into effect,” Frost said. “We were able to get that code written and implemented into myCalPERS ... within that 10 day period of time. Meanwhile, we were contracting with Experian to offer the two years of credit monitoring, setting up the unique activation codes and really getting the member letter set up through Experian and getting that address file for our retirees set up through Experian because they are the ones who coordinated the mailing of that information out to ... the impacted retirees.”

On June 11, CalPERS got its file from PBI and began examining it to figure out what kind of data it contained and who was affected. They discovered that personal information on 769,000 people were stolen: names, Social Security numbers and birth dates. The hackers also may have gotten the names of former or current employers, spouses or domestic partners, and children, CalPERS officials reported.

The file contained information on anyone who was receiving an ongoing monthly benefit payment as of this spring, CalPERS noted in its Q&A, but there was no intrusion into the CalPERS system and monthly benefits were not affected.

CalSTRS was working through a similar process and, on June 16, its team determined that its PBI file contained the name, Social Security number, date of birth, and ZIP code of approximately 415,000 CalSTRS members and beneficiaries. No one’s myCalSTRS accounts or financial information was involved in the incident, officials said, and pension payments were not affected.

“CalSTRS is committed to ensuring the privacy and security of our members’ personal information, and we know that members are concerned,” said CEO Cassandra Lichnock. “CalSTRS acted as quickly as possible to notify the members whose information was involved.”

PBI reported the breach to federal authorities, the pension funds said, and told CalPERS and CalSTRS that it had resolved the issue that allowed the vulnerabilities.

Lawrence said CalSTRS is evaluating the relationship with the company. Frost said CalPERS is no longer using PBI, a vendor the agency began contracting with in February 2022.

“We are investigating other tools. Unfortunately, there are not many resources to do this death verification,” Frost said. “There are a couple of new tools that we are looking at, and we’ll have that research completed with a recommendation coming from our technology team within the next weeks. And then (the team will be) determining whether those sources of information will be sufficient.”

Retirees to seek inquiry into handling of data breach

After the work to fortify the myCalPERS system was complete, Frost said, her staff reported what had occurred to the Board of Administration’s Risk and Audit Committee and then to all board members on June 21. Once they finished those meetings, she said, they then updated leaders of the California State Retirees and the Retired Public Employees Association. All stakeholders were given an opportunity to ask questions, Frost said.

Former CalPERS board member J.J. Jelincic, who attended the meeting, said the staff ended questions “for the board’s convenience.” This came after stakeholders had been forced to wait as the board repeatedly extended a closed session meeting, Jelincic said, making attendees wait two hours after initially saying it would be 20-30 minutes.

CalPERS spokesman Brad Pacheco said the staff ended the stakeholder briefing because many attendees had come to hear the proposed 2024 health care rates and the board’s Pension & Health Benefits Committee was starting a meeting where those rates would be discussed.

That’s true, Jelincic said, but if stakeholders had been given the option of attending or staying to ask questions on the data breach, some probably would have stayed since CalPERS staff had already provided information on what the proposed rates were.

Pacheco said: “We’ve always made ourselves available for additional questions and established a dedicated email for that purpose PBIquestions@calpers.ca.gov. “

CalPERS’ answers to retiree questions have so far not appeased Cheek, the legislative director of the Retired Public Employees Association. Cheek said that his organization will be requesting a legislative inquiry into how CalPERS handled the breach and may also contact the state Attorney General’s Office.

If CalPERS needs assistance in tracking decedents, he said, it should contract with a vendor that will allow CalPERS to use its software in-house and train CalPERS personnel to do the work.

“Why are you giving our information to outside agencies? That’s a big problem,” Cheek said. “My members are livid. I’m getting calls from all over the state.”

CalPERS also should have been transparent about the breach from the start, Cheek said, to give retirees an opportunity to safeguard their bank accounts, investment accounts, credit cards and other accounts where the stolen personal information could have been used to illegally obtain access.

Frost said that the CalPERS board carefully weighs decisions on whether to share members’ personally identifiable information with a contractor and that she and her team regularly face questions on this topic. The CalPERS staff makes quarterly reports to the board on cybersecurity, she said, and board members take their oversight of such decisions very seriously.