Hackers stole the names, social security numbers, birth dates, and other personal information of about 769,000 retirees and beneficiaries, according to the California Public Employees' Retirement System (CalPERS) on Wednesday.
According to the Sacramento Bee, the hackers were able to get this information by exploiting a hole in a contracted vendor's cybersecurity system.
“This external breach of information is inexcusable,” CalPERS CEO Marcie Frost said. “Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”
According to the report, the hackers may have gained information on CalPERS members' prior or present employment, spouses or domestic partners, and children.
“A small town in Massachusetts called Lowell recently had to offer credit monitoring to its employees,” cybersecurity expert Brett Callow explained. “That cost a million bucks. Now, Lowell has a population of just over 100,000, so that can’t be that many city employees.”
Callow went on to say that the victims include 12 state or government bodies in the United States, eight public-sector agencies in other countries, and six colleges in the United States.
CalPERS said on its website that all impacted members are eligible for two years of free credit monitoring and identity restoration services from Experian.
Yet, members appear to be enraged about the situation. Randy Cheek, legislative director of the Retired Public Workers Association, told the Sacramento Bee that he was furious when he learned that he and other impacted employees had not been informed promptly.
“They found out about it two weeks ago — and they’re just now saying something, and they’re gonna send letters out tomorrow,” Cheek said. “On top of that, they didn’t even tell the bank because I just called Golden 1 and they had no idea. I talked to their top security guy.”
Golden 1 Credit Union, according to Cheek, owns accounts for hundreds of thousands of state employees.
When questioned why it took so long to notify members that their personal information had been hacked, CalPERS informed the Sacramento Bee, “We needed to make sure we had all the facts and that our system was secure before alerting retirees.”
“Our primary duty was and is to ensure the safety of all our member and retiree information,” CalPERS officials added.
According to the CalPERS website, hackers were able to obtain the information after discovering a critical flaw in the MoveIt Transfer program.
Meanwhile, the Clop ransomware organization claimed to have exploited the flaw before a fix was released. Clop allegedly utilized malicious software code to get access to data that should not have been displayed.