CalPERS, the largest public pension fund in the US, said customer details such as name, date of birth, and Social Security Number (SSN) were exposed in the breach.
The details of California Public Employees’ Retirement System (CalPERS) customers were stolen after attackers breached its third-party vendor PBI Research Services.
CalPERS manages pensions and health benefits for 1.5 million public employees in California, with assets worth over $444 billion at the end of 2022.
PBI notified the fund manager about the breach on June 6th, indicating it fell victim to the MOVEit transfer bug exploit that allowed attackers to access and download the data stored there.
“Personal information that was downloaded included: First and Last Name; Date of Birth; and Social Security Number. It could have also included the names of former or current employers, spouse or domestic partner, and child or children,” CalPERS said.
The company said that “anyone who was receiving an ongoing monthly benefit payment as of this spring” was affected by the breach, which the company says totals at around 769,000 of its members.
“This includes retirees from the state, public agencies, school districts, and retirees of the Judges’ Retirement System and Legislators’ Retirement System. Anyone who receives an ongoing monthly benefit payment from CalPERS was likely affected,” CalPERS said.
The fund stressed that the third-party breach would not impact members’ payments and retirement as its systems were unaffected by the cyber incident. However, members were advised to stay vigilant to identity theft or fraud threats.
CalPERS is at least the second company that has suffered from PBI being breached using the MOVEit exploit. Wilton Re, a US-based insurer, said that the PBI breach exposed the details of nearly 1.5 million people.
Why is the MOVEit zero-day important?
The Russia-linked Cl0p ransomware gang has taken credit for exploiting the MOVEit zero-day bug. They claim to have breached hundreds of companies in the process. Experts we’ve spoken to say that around 3,000 deployments of the MOVEit application were active when the flaw was first discovered.
Cl0p has been posting victims’ names on their dark web leak site since June 14th, with Shell Global, Telos, Norton LifeLock, and tens of others uploaded so far. The extent of the exposed data depends on how a certain company uses the file transfer system.
However, CalPERS and PBI Research Services are so far not listed on Cl0p’s dark web blog, which the gang uses to showcase its victims.
Cl0p operates under the Ransomware-as-a-Service (RaaS) mode, which means it rents the software to affiliates for a pre-agreed cut of the ransom payment.
The gang employs the “double-extortion” technique of stealing and encrypting victim data, refusing to restore access, and publishing exfiltrated data into its data leak site if the ransom is not paid.
More from Cybernews:
Subscribe to our newsletter