The California Public Employees Retirement System (CalPERS), the nation’s largest public pension fund and insurer, Genworth Financial, admitted that the personal information of millions of account holders was compromised in a major security breach.
A third-party file storage vendor, PBI Research Services, was attacked by Russian hackers after going through a loophole in its MOVEit Transfer software, who then stole the data from CalPERS and Genworth.
The cybercriminals were able to exploit a weakness in the system that contained the records of deceased CalPERS members.
MOVEit file storage software is popular with many organizations around the world to store and share sensitive data.
Victims Were Not Informed in Time to Prevent Security Breach
Ipswitch, which is the maker of the MOVEit, is owned by Progress Software, first discovered the security flaws in their product in May.However, CalPERS was only informed of the breach on June 6, after PBI told them that the hackers broke into their data storage system and downloaded streams of sensitive data.
Cybersecurity firms only began to issue reports of MOVEit’s security problems the same day that PBI informed its clients about the cyber attacks.
The number of victims of the MOVEit data theft hack is in the millions, according to CalPERS and Genworth, which faced the brunt of the thefts.
According to the Associated Press, the personal information of about 769,000 retired California state workers and other members were stolen by Russian-based cybercriminals.
Genworth, meanwhile, disclosed on June 15, that the personal data of nearly 2.5 million to 2.7 million of its customers was stolen in a filing with the Securities and Exchange Commission.
“The personal information of a significant number of insurance policyholders or other customers of its life insurance businesses was unlawfully accessed,” Genworth said in a statement.
PBI reported the breach to federal law enforcement, while CalPERS said it had placed “additional safeguards” to protect the information of retirees but did not elaborate on those new measures, citing security reasons.Russian Cybergang Attacks MOVEit Data Storage Systems Worldwide
The Russian criminal gang behind the hack, known as Cl0p, has threatened to extort their victims and is threatening to dump their data online if they do not pay a ransom.
In a letter to members, CalPERS offered two years of free credit monitoring to those hit by the hack, while Genworth promised to provide “protection services,” such as credit monitoring and ID theft protection to their affected clients.The personal data stolen from CalPERS included first and last names, dates of birth and social security numbers, along with names in certain cases, of spouses, or domestic partners and children, officials said.
The California state pension officials held more than 2 million accounts in its retirement system, with more than $442 billion in assets, as of Dec. 31.
Government agencies in the United States, Britain’s telecom regulator, Shell Plc, among others, were also affected by the security breaches, which were estimated by cybersecurity experts to have compromised hundreds of organizations worldwide.
The U.S. Department of Energy (DOE) and several other state and federal agencies, Johns Hopkins University, Ernst & Young, the BBC, and British Airways, were also hacked by the Russian team.The DOE received ransom requests last week from the Russian cybergang after they hit the same nuclear waste facility and scientific education facility, which were already attacked in the past by an international hacking campaign.
A security flaw in MOVEit Transfer was also held responsible for the attacks on the DOE’s systems.
PBI could not be reached for comment.Reuters and the Associated Press contributed to this report.
