Largest public pension fund in US affected by MOVEit breach

The controversy around vulnerabilities in the MOVEit file transfer tool has now reached the largest public pension fund in the U.S. – California’s Public Employees' Retirement System (CalPERS).

The organization said Wednesday that it was informed on June 6 by a third-party vendor – PBI Research Services/Berwyn Group – that data was accessed by hackers exploiting the MOVEit file transfer tool. CalPERS manages more than $477 billion in assets for over 1.5 million public employees, retirees, and their families in California.

CalPERS sends data through the tool to PBI Research Services/Berwyn Group because the company helps it accurately distribute payments to retirees and beneficiaries. PBI’s primary role is identifying the deaths of beneficiaries, helping prevent instances of overpayment and verifying information on inactive members.

“Personal information that was downloaded included: First and Last Name; Date of Birth; and Social Security Number. It could have also included the names of former or current employers, spouse or domestic partner, and child or children,” CalPERS said in a statement, noting that federal law enforcement has been notified.

The incident affects retirees from the state, public agencies, school districts and retirees of the Judges’ Retirement System and Legislators’ Retirement System. Active CalPERS members are not affected.

The organization has added new protocols on the member benefit website in light of the leaked information and created a call center for victims. Victims are also being offered two years of free credit monitoring and identity restoration services through Experian. They recently mailed information about the incident to retirees or their families.

They urged victims to watch out for instances of identity theft or fraud but explained that none of CalPERS’ systems were affected, meaning monthly pension payments will continue to be deposited.

PBI works with several other state pension funds, including ones in New Jersey, Nevada and Tennessee.

Big Four accounting firms affected

Two of the largest accounting firms in the world also confirmed MOVEit breaches after being added to the leak site of the Clop ransomware group – the gang behind the exploitation of the vulnerability in the software.

Jenny VanOss, director of communications for PricewaterhouseCoopers, said they used the software with a “limited number” of client engagements and stopped using it once they learned about the vulnerabilities.

“Our investigation has shown that PwC’s own IT network has not been compromised and that MOVEit’s vulnerability had a limited impact on PwC,” she said. “We have reached out to the small number of clients whose files were impacted to discuss the incident.”

PricewaterhouseCoopers is the second largest professional services company in the world, with 742 offices in 154 countries and $50.4 billion revenue in 2022.

EY, another member of the “Big Four” group of large accounting firms, also confirmed a MOVEit-related breach.

The company, which reported $45 billion in revenue in 2022, said it began an investigation into the breach after the vulnerability in MOVEit was announced on May 31.

Advisory from @CISAgov, @FBI: https://t.co/jenKUZRZwt

Do you have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government?

Send us a tip. You could be eligible for a reward.#StopRansomware pic.twitter.com/fAAeBXgcWA

— Rewards for Justice (@RFJ_USA) June 16, 2023

“We have verified that the vast majority of systems which use this transfer service across our global organization were not compromised,” a spokesperson said.

“We are manually and thoroughly investigating systems where data may have been accessed. We are aware that EY has been named along with many other companies. Our priority is to communicate to those impacted, as well as the relevant authorities and our investigation is ongoing.”

The Clop ransomware group claimed on Thursday that it stole 121GB of data from PricewaterhouseCoopers and 3GB from Ernst & Young.

The U.S. Justice Department has issued a reward of up to $10 million for any information on the whereabouts of Clop ransomware actors.

So far, there have been at least 96 victims of the MOVEit vulnerability exploitation – including universities, companies and government agencies.