On July 8, 2023, the Employee Retirement System of Rhode Island posted a “PBI Data Breach” notice on its website, describing an incident that resulted in confidential information of current and former TIAA account holders being compromised. In this notice, ERSRI explains that an unauthorized party was able to access members’ sensitive information, including their names, Social Security numbers, addresses, dates of birth and genders. Upon completing its investigation, ERSRI began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.

If you received a letter from PBI discussing the data breach at the Employee Retirement System of Rhode Island, it is essential you understand what is at risk and what you can do about it. While the relationship between the various organizations involved is confusing, the result is that an unauthorized party was able to access confidential information belonging to Rhode Island state workers who have an account with TIAA. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the ERSRI data breach. For more information, please see our recent piece on the topic here.

What Caused the Data Breach Affecting ERSRI?

The PBI / ERSRI data breach was only recently announced, and more information is expected in the near future. However, ERSRI’s recently posted notice provides some important information on what led up to the breach. According to this source, ERSRI oversees the retirement benefits of employees of the State of Rhode Island. TIAA is the Defined Contribution Plan vendor for ERSRI. TIAA relies on certain services from Pension Benefit Information, LLC (“PBI”). To allow PBI to perform these services, TIAA passes on confidential employee information provided to TIAA by ERSRI.

PBI uses a file transfer software called MOVEit, which was created by Progress Software. On May 31, 2023, Progress Software announced a vulnerability within MOVEit that allowed unauthorized actors to access information on MOVEit servers, including PBIs.

Upon learning of the vulnerability, PBI launched an investigation, confirming that TIAA data was included in the compromised files. PBI informed TIAA of the incident, and then TIAA informed ERSRI.

While the breached information varies depending on the individual, it may include your name, Social Security number, address, date of birth and gender.

On July 8, 2023, ERSRI posted notice of the incident on its website. Additionally, PBI will be sending out data breach letters to anyone who was affected by the recent data security incident. These letters should provide victims with a list of which information of theirs was compromised.

More Information About Employee Retirement System of Rhode Island

The Employee Retirement System of Rhode Island provides retirement, disability, and survivor benefits to Rhode Island state employees, public school teachers, judges, state police, participating municipal police and fire employees, as well as general employees of certain municipalities. ERSRI employs more than 25 people and generates approximately $21 million in annual revenue.