On June 26, 2023, the California State Teachers Retirement System (“CalSTRS”) posted a notice of data breach on its website after learning that confidential member information was leaked in a third-party data breach involving an incident involving software used by PBI Research Services. Based on the organization’s post, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, dates of birth and zip codes. After confirming that consumer data was leaked, CalSTRS began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification from CalSTRS, it is essential you understand what is at risk and what you can do about it. The California State Teachers Retirement System is one of many large organizations that has been affected by recent software-related data breaches involving third-party vendors. As a result, victims of these breaches now face significantly increased risks of identity theft and other frauds. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the CalSTRS data breach, please see our recent piece on the topic here.
What We Know So Far About the CalSTRS Breach
News of the CalSTRS data breach is still fresh; however, what we know at this point comes from a post on the CalSTRS website entitled “Information about PBI data security incident.” According to this source, the breach involved PBI Research Services, which is a company CalSTRS uses to ensure that payments are not sent after a member has passed away.
Based on similar reports from other organizations, the incident likely involved the MOVEit file transfer tool, created by Progress Software, LLC. Evidently, CalSTRS and PBI used the file transfer software to transmit files containing member information. Recently, PBI informed CalSTRS that the software contained a vulnerability that hackers were able to exploit, allowing the hackers to access the information sent between the companies.
In response, CalSTRS requested a list of the compromised files from PBI and then launched an investigation to determine the nature and scope of the incident, as well as what, if any, confidential member information was leaked. The CalSTRS investigation confirmed that, although hackers were not able to access CalSTRS systems, they were able to access confidential information belonging to certain members.
Upon discovering that sensitive member data was made available to an unauthorized party, CalSTRS began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, date of birth and zip code.
On June 26, 2023, CalSTRS sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. Importantly, the recent breach of CalSTRS member data did not involve CalSTRS’s system being hacked; the incident was limited to data within the MOVEit tool.
More Information About California State Teachers Retirement System
The California State Teachers Retirement System is an educator-only pension fund that serves California's public school teachers and their families. CalSTRS is the largest teachers’ retirement system and the second-largest public pension fund in the United States, serving 949,000 teachers and their families. CalSTRS employs more than 1,270 people and generates approximately $263 million in annual revenue.