CalPERS is refusing to take readily available measures to prevent the release of hacked personal data of 770,000 beneficiaries. And as we’ll explain below, the information at issue is extensive, with the potential to create identity theft hell. CalPERS has indicated it will not use its ransomware policy, with a $1 million deductible, to pay off the hackers. Mind you, as indicated, that’s a mere $1.30 per affected beneficiary.
Oh, but those beneficiaries are retirees plus a comparatively few inactives, who are typically government employees who left for the private sector. So CalPERS executives can’t be bothered since they see this group as not powerful enough to bother to protect, despite the large numbers harmed.
If this has been the data of current CalPERS employees, you’d be sure CalPERS would be willing to pay whatever it took to appease the ransomware artists. After all, this is the CalPERS that hand-waved away a $67 million loss on Silicon Valley Bank as a drop in the bucket.
As you’ll also see, this story is the latest in a series of fiascoes regarding CalPERS failure to take measures to make sure that dead people stopped getting CalPERS benefit checks produced a overpayments scandal. So CalPERS belatedly moved to solve a problem that started in 2011. Then, the Social Security Administration significantly reduced access to its full Death Master File, specifically preventing entities that were not Federal or State agencies from getting the portion of the data file that relied on death certificates. Weirdly CalPERS as a California state agency was deemed not to qualify.
But only years later, in 2021, after being embarrassed in the press did CalPERS decide to Do Something. As you can see in the embedded board transcript below (search on Social Security), CalPERS had been negotiating with the Social Security Administration to get access to their full Death Master File, with approval expected by year end 2021 and implementation to be underway by August 2022. CalPERS oddly was also signing up, per the transcript to use two vendors who would develop their own death files, relying heavily on obituaries.
Why didn’t CalPERS wait the few additional months to get the Social Security data? Maybe because no opportunity to buy friends via unnecessary contracts should be passed up. And maybe because doing the work in house would be, well, work and would mean CalPERS would have no one to blame if there were screw-ups.
Making those matches is messy, since a dead person may have a common name, requiring the vendor to use other information about the person, like city of residence, street address, spouse and children’s names, along with the linchpin, the full Social Security number, to confirm the identity.
The data breach occurred at the outside vendor. CalPERS told beneficiaries that it sent the data over encrypted and it was hacked when the vendor unencrypted it to use it. From the Financial Times:
In a statement published on its website, the $442bn pension fund alerted its retired members and their families that some of their personal information, including dates of birth and social security numbers, were downloaded during an incident impacting its contracted third-party provider PBI Research Services/Berwyn Group. The incident involved the MOVEit file transfer service.
“On June 6, 2023, PBI notified Calpers that a previously unknown ‘zero-day’ vulnerability in their MOVEit Transfer Application allowed our data to be downloaded by an unauthorised third party,” Calpers said in the statement. A zero-day vulnerability is a security flaw that has not yet been identified or patched by the software provider.
The California-based fund estimates the security incident affected the personal information of about 769,000 members.
“This external breach of information is inexcusable,” said Calpers chief executive Marcie Frost.
“Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”
Frost is, as usual, lying shamelessly.
The Financial Times article makes clear that a “Russian-speaking criminal gang” called the Clop group had hacked personal data at UK companies and issued ransomware demands, as was expected to his US concerns soon.
KCRA supplied more information, that roughly 415,00 CalSTRS has also been hit, and gave more of an idea of the extent of the breach:
The app’s vulnerability allowed data like first and last names, date of birth and Social Security numbers to be downloaded by an unauthorized third party, CalPERS said. The names of members’ family members could also have been accessed….
But along with retired members and their families, the breach could have also impacted inactive members who soon become eligible for benefits, CalPERS said….
It was not immediately clear if CalPERS has received reports of fraud in connection with the breach. KCRA 3 is also asking why the agency waited until this week to announce the breach.
“I felt just– flabbergasted that they didn’t say anything to anybody before this. We should have known. We should have been able to check our accounts,” said Randy Cheek, legislative director for the Retired Public Employees’ Association of California.
Cheek alludes to the real danger, which the news stories skip over. It’s to identity theft, which can lead to from loans being taken out in your name or even to money hoovered out of your bank account (this happened recently to a friend at Chase to the tune of $25,000).1
Now to the Frost howler about acting quickly. Randy Cheek is correct to complain that beneficiaries had not been warned until it was convenient for CalPERS, right after a regularly closed session where the board was informed of the hacking (note CalPERS has a procedure for emergency board members but staff couldn’t be bothered to treat this matter as important). But on top of that, CalPERS was not willing to use its ransomware policy to pay off the hackers and buy the information back.
After the closed session, CalPERS had a 15 meeting with retirees at the CalPERS. Frost and senior staff did not deign to show, another sign of lack of concern about beneficiary welfare.
On the way out of the side meeting, former board member Margaret Brown accosted Kim Malm, interim deputy executive officer for the Customer Services & Support Section. Other retirees heard this exchange.
Brown asked her why CalPERS had not used its ransomware policy.
Malm said the deductible was $1 million, as if that was too high.
.
Brown repeated her query, why had CalPERS not triggered the policy.
Malm gave her a blank stare and walked away.
What is the point of paying for insurance and not using it? Is this yet another case of CalPERS expensively buying favors by enriching insurers and their brokers?
Malm’s reaction, which Brown read as no one at CalPERS was even considering putting in a claim under the ransomware policy, suggests either no one had even looked at it since management had decided mere retirees weren’t worth it.
Now it may also be that CalPERS knows the ransomware policy is an empty bag. If so, why pay for it?
CalPERS failed to protect its beneficiaries in other ways:
Why doesn’t PBI have insurance to cover the data breach? There’s no mention in any of the press stories that PBI might be able to cover some of any losses.
Why didn’t CalPERS contract require PBI/Berwyn to have ransomware insurance?
Does CalPERS ransomware insurance cover third parties? If not, it’s even more inexcusable that CalPERS didn’t require its death data vendors to be well covered.
I’ve gotten quite a few upset calls. One prominent retiree wrote me, disgusted about the latest failure under Frost:
I thought [former CEO Fred] Buenrostro [sentenced to 4 1/2 years in Federal prison for embezzlement and other charges] was bad and then came Marcie Frost whose hires and policy decisions stink of incompetencies. The news of the security breach by PBI which has compromised data of retirees such as myself is shattering. As a result of this breach, I sent every CalPERS Board member an email demanding that the Board and Frost meet with membership so we can confront Frost with our questions about the breach. We deserve as much but what I would really like is for the Board to have a vote of no confidence and fire Frost. It won’t happen. Sadly, this Board is as clueless and incompetent as Frost.
Friends working at CalPERS have shared that Frost was responsible for hiring PBI – if that is true it is one more bad decision on her part.
The nepotism, the sweetheart deals with health plans, the embracing of risk management after it failed, and so much more are too exhausting to think about anymore. I am grateful I was able to retire when I did because CalPERS has deteriorated more than I dreamed possible.
Sadly even with the Financial Times picking up on the story, the coverage is suitably bland and completely misses how CalPERS is throwing retirees under the bus out of sheer laziness and perhaps even spite, since it’s the retirees who have been doing what they can to combat corruption and incompetence at CalPERS.
_____
1 One wonders how the crooks figured out which bank to target. But Chase is a big bank, perhaps they just brute forced the top five.
00 9.14.21 Risk and Audit Death Benefit Overpayment item6a-00_a
00 9.14.21 Risk and Audit 2021-0914-rac_a
21 comments
Comments are closed.
So a few mere days after the sinking of the Titan submersible, we get yet another prime example of organizational failure to properly avoid risks. What else is there to add, other than the shocking continued incompetence of the CalPers board and top people like Frost.
Appeasing ransomware is rewarding crime. No one should pay out.
Easy for you to talk when it isn’t your bank account at risk. Are you prepared to indemnify the 770,000 CalPERS employees? Otherwise you have no business opining.
Financial institutions in particular don’t agree: https://www.cnbc.com/2022/11/01/us-banks-process-roughly-1point2-billion-in-ransomware-payments-in-2021.html
And why did CalPERS waste its money on ransomware insurance?
And you seriously believe CalPERS not paying will stop the practice? That data still has value on the dark web, even if not as much as in a buyback.
Why pay for insurance if you are not going to make a claim? I believe calPers did not file a claim with their insurance because retired people are not worth the cost of the deductible ($1 million or 90 cents per person)!!
This clearly shows that CalPers can not be bothered to protect retirees, proactively or reactively.
I am sick with worry and likely all this stress will be the death of me and other retirees. Which suits Calpers just fine. Retirees are dead and Calpers stops paying. It’s a win win for Calpers.
Well CalPERS was not so much hacked as the hackers tried to find the administrative account and password so used ‘admin’ and ‘password’ first – which worked. That story of an previously unknown ‘zero-day’ vulnerability I would want proved first in any case. I wonder if a class law suit is an option for those 770,000 beneficiaries? Are there many lawyers in California? Proving incompetence, laziness and gross disregard of their duties is easily provable from what I am reading here. Sure, CaLPERS might kick up a fuss but do they really want to trigger the process of discovery? I can only imagine what might be in their files. But here outsourcing functions to external entities – which should really be in-house functions – and then when they screw up claim that it was ‘inexcusable’ only makes them sound even lamer than they are.
No lawyer who works in California would ever touch a class-action lawsuit against CalPERS for two reasons:
First, the CalPERS Board would not hesitate to spend hundreds of millions of dollars in trust fund assets defending against any lawsuit — even on spurious grounds as we saw in the Long Term Care fiasco. No retiree has this kind of money laying around and no law firm has the resources to take the case “on the come.”
Second, it’s an open secret that CalPERS annually over-pays third-party Private Equity and Real Estate management fees to the tune of $2 Billion and third-party Health Care premiums to the tune of $4 Billion in order to launder political kick-backs to elected officials in state and federal office. Every law firm in the state knows that they’d be blackballed from ever seeing another California client walk through the door as payback for killing the goose that lays golden eggs.
Don’t ask me how I know this…
So sad,
this is more than ineptitude, this is outright barely conceiled robbery of people who actually helped to build and paid for all the infrastructure in the country that remains.
From the article: “Weirdly CalPERS as a California state agency was deemed not to qualify.”, “CalPERS oddly was […] relying heavily on obituaries.” –
“Weirdly, oddly”, that just shows that the populace is just already so fragmented that they will put up with outright national-institutional robbery if it doesn’t affect them directly, if only the strafing impacts pass them over one more time.
All “Western”, and most ‘Non-Western’ countries employ the same Mafia-methods by now – no matter if reigned by right-or-left-wing parties of any couleur.
At times, I paradoxically feel ~somewhat~ safer here on my farm in equatorial Africa.
If there would be any uncorrupted judiciary left in any of our ” Western” countries, the judges would never-ever accept such ” excuses ” as stammered e.g. by CalPers above and would dish out the full penalty of the law.
Instead, the party who has more money wins. – Simple as that — Rule of law, passé & perdu.
Yeah, at least the Mafia is honest about it: they don’t try and pretend they respect the “rule of law” and all that BS.
One could almost imagine that when Marcia Frost is finally jettisoned, the Calpers board would aggressively headhunt Ursula van der Leyen as her replacement. Only the most incompetent possible candidate would suffice.
Yeah, there is even a fancy word for that: kakistocracy. Only the most inappropriate, incompetent and crooked candidates need apply ;-)
Holy cow. Just emailed Calsters on behalf of my mom and asked what they are doing to protect their retirees from identity and bank theft. Will post their reply when I get it.
And here is the reply from Calsters which is basically nothing; argh! :
Thank you for contacting CalSTRS about the data security incident. We understand this is concerning to our members and CalSTRS is moving quickly to identify and minimize the impact to our members. This is an evolving situation, and we may not be able to answer all of your questions at this time. Here’s what we can share with you.
CalSTRS is one of many organizations around the world that has been affected by the PBI Research Services data security incident involving software called MOVEit.
CalSTRS is committed to ensuring the privacy and security of our members’ personal information. The IT systems at CalSTRS were not accessed. Your myCalSTRS account remains safe and protected from this incident.
Retirement benefit payments will not be impacted or delayed. Payments will go out as planned – paper checks will be mailed on June 28 and direct deposit is scheduled for June 30.
CalSTRS is actively working with PBI to identify our members and beneficiaries whose information was involved. The members and beneficiaries whose information was involved will be sent a letter soon identifying resources available to them to help protect their personal information.
The letter will include contact information for a dedicated call center staffed by trained representatives who can answer questions about the data security incident. These representatives are not CalSTRS employees, and they will not have access to your member account information or any CalSTRS IT systems. For questions not related to this incident, or about your retirement benefits, please contact CalSTRS directly.
Should you have additional questions or concerns, please email ExternalAffairs@CalSTRS.com.
As to the Chase incident, I have received a few phishing emails recently telling me my Chase account has been compromised.
I don’t have a Chase account, which leads me to believe it’s just a massive attack on one of the biggest banks.
Yves you usually have good articles, but this is rubbish. You literally can’t win with ransomware. It’s not like a real hostage negotiation where you can blow down the door and charge the crooks.
There are no guarantees they wouldn’t keep trying to squeeze blood from a stone after paying the first ransom. Or just leak the data anyway because we’re cool hackers. People always forget that there is actually no honor among thieves.
Sorry, you are the one who is talking rubbish. First, expert articles on this topic state the reverse, that hackers do generally honor their commitments. These hackers, particularly cases like this one, with a known group engaged in repeat exploits, want people to pay up, so if they collected money and released the data anyhow (which is presumably less lucrative than the shakedown), no one would ever cooperate again. And this is group is engaging in multiple hackings.
It took me all of 30 seconds to find disproof of your claim from an organization that unlike you actually keeps tabs:
https://theitem.com/stories/explainer-no-ransomware-silver-bullet-crooks-out-of-reach,363271
Oh, but you know better than people who are actually in the business of dealing with ransomware artists.
Second, did you miss, despite it being in the headline, that CalPERS would need to spend only $1.30 per affected beneficiary, that the rest of the cost would fall on its insurer? And that CalPERS publicly called its $67 million loss on SVB be a drop in the bucket? $1 million is couch lint to CalPERS.
Trying to unpick this a little. I don’t see confirmation anywhere that a ransom demand has been received (the FT article mentions that previous victims in the UK had received demands but doesn’t confirm any in relation to the latest breach). I had a look in the board minutes but couldn’t find it – a pointer to the correct page would be appreciated if it’s there, as there seems to be a lot of unrelated business.
It also seems to be a data breach rather than classic ransomware (in which malware is used to lock down one or more key systems and a ransom is demanded to unlock them, which looks to have been the situation at University of Vermont). In the ransomware case you are 100% going to lose those devices/apps and all their related data if you don’t pay, and you’ll very likely get them back if you do for the reasons you mention (although you’d better do a scorched-earth security audit right afterward or they’ll get you again before too long). The attacker has a great deal of leverage in that situation.
Generic data breaches due to a vulnerability are a slightly different story. Rather than being secured but with the keys held by the attacker, they’re just… out there. In the ransomware case, there’s an immediate and clear payoff (regaining access to the systems) and because the breach was due to the attacker’s own malware, they can credibly claim that they are the only ones with access. In a vulnerability case like this, the situation is less clear. What if you pay, the data ends up on the dark web anyway, and the attacker says it wasn’t them and it must have been an unrelated breach? We already know there was a vulnerability, and if these guys could get in, others could have too. It’s also notoriously difficult to put the genie back in the bottle once a data breach has occurred.
Depending on how the ransomware policy is written, it may or may not apply to data breaches of this nature. That does not change the fact that the CalPERS response on this is awful – they ought to be spelling all this out, and their FAQ page is a joke (they might as well have written ‘trust us’ in big letters and left it at that). But I think we need to know more details here to understand what a reasonable course of action would be.
Do we know what CalSTRS is doing? They seem to have been a victim as well and I recall they typically have better governance.
Doing a bit more reading. This seems to be an example of a supply chain attack, rather than a classic ransomware:
https://theconversation.com/moveit-hack-attack-on-bbc-and-ba-offers-glimpse-into-the-future-of-cybercrime-207670
It’s also relatively new. The discussion at the end of the article focuses on the monetization difficulty I mentioned – the harm associated with non-compliance is significantly lower.
Kim Malm did not say no ransom demand had been made, which would be the logical response to Brown’s questions about “Why haven’t you used the ransomware policy?” as opposed to talking about the deducible, which also suggests someone has recently looked at least at the summary of terms. Do you think anyone would know the deductibles for all the various CalPERS insurance policies off the top of their head?
Yes, that would seem like a reasonable inference, especially as that’s been the MO in the past. Something was obviously said in that meeting that made Brown ask the question and Malm respond with a highly specific non-answer, I just can’t track down exactly what (and couldn’t find it in the transcript).
Wow, the examples of institutionalized incompetence and corruption are so many, I have trouble keeping track of it all.
Thanks to NC for informing us.
Part of my meager pension is tied up in CalPers, I’m glad it is only a small part.
So I received my letter today about the breach and my information being involved. What immediately caught my eye was the part about “PBI provides services to CalPERS to identify member deaths.”
In 2021, CalPERS erroneously reported my death to Social Security less than a week after my mother’s death. This was confirmed by SS that CalPERS did it.
It took many months to get everything straightened out (lost my pension, medical, dental, vision, legal, etc.) In fact, CalPERS froze one of my bank accounts after I had obtained the required Proof of Life letter from SS and provided it to them!
I froze my credit 3 years ago and have been paying for extensive identity theft services for the last 2 years. This continues to create problems for me periodically – most recently with IRS as showing deceased somewhere in system so unable to electronically file returns.
I have zero confidence that this will be handled appropriately. So far online, I have found information on 2 law firms that are potentially doing class action lawsuits. I have been furious about CalPERS for too long.