CalPERS is refusing to take readily available measures to prevent the release of hacked personal data of 770,000 beneficiaries. And as we’ll explain below, the information at issue is extensive, with the potential to create identity theft hell. CalPERS has indicated it will not use its ransomware policy, with a $1 million deductible, to pay off the hackers. Mind you, as indicated, that’s a mere $1.30 per affected beneficiary.
Oh, but those beneficiaries are retirees plus a comparatively few inactives, who are typically government employees who left for the private sector. So CalPERS executives can’t be bothered since they see this group as not powerful enough to bother to protect, despite the large numbers harmed.
If this has been the data of current CalPERS employees, you’d be sure CalPERS would be willing to pay whatever it took to appease the ransomware artists. After all, this is the CalPERS that hand-waved away a $67 million loss on Silicon Valley Bank as a drop in the bucket.
As you’ll also see, this story is the latest in a series of fiascoes regarding CalPERS failure to take measures to make sure that dead people stopped getting CalPERS benefit checks produced a overpayments scandal. So CalPERS belatedly moved to solve a problem that started in 2011. Then, the Social Security Administration significantly reduced access to its full Death Master File, specifically preventing entities that were not Federal or State agencies from getting the portion of the data file that relied on death certificates. Weirdly CalPERS as a California state agency was deemed not to qualify.
But only years later, in 2021, after being embarrassed in the press did CalPERS decide to Do Something. As you can see in the embedded board transcript below (search on Social Security), CalPERS had been negotiating with the Social Security Administration to get access to their full Death Master File, with approval expected by year end 2021 and implementation to be underway by August 2022. CalPERS oddly was also signing up, per the transcript to use two vendors who would develop their own death files, relying heavily on obituaries.
Why didn’t CalPERS wait the few additional months to get the Social Security data? Maybe because no opportunity to buy friends via unnecessary contracts should be passed up. And maybe because doing the work in house would be, well, work and would mean CalPERS would have no one to blame if there were screw-ups.
Making those matches is messy, since a dead person may have a common name, requiring the vendor to use other information about the person, like city of residence, street address, spouse and children’s names, along with the linchpin, the full Social Security number, to confirm the identity.
The data breach occurred at the outside vendor. CalPERS told beneficiaries that it sent the data over encrypted and it was hacked when the vendor unencrypted it to use it. From the Financial Times:
In a statement published on its website, the $442bn pension fund alerted its retired members and their families that some of their personal information, including dates of birth and social security numbers, were downloaded during an incident impacting its contracted third-party provider PBI Research Services/Berwyn Group. The incident involved the MOVEit file transfer service.
“On June 6, 2023, PBI notified Calpers that a previously unknown ‘zero-day’ vulnerability in their MOVEit Transfer Application allowed our data to be downloaded by an unauthorised third party,” Calpers said in the statement. A zero-day vulnerability is a security flaw that has not yet been identified or patched by the software provider.
The California-based fund estimates the security incident affected the personal information of about 769,000 members.
“This external breach of information is inexcusable,” said Calpers chief executive Marcie Frost.
“Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”
Frost is, as usual, lying shamelessly.
The Financial Times article makes clear that a “Russian-speaking criminal gang” called the Clop group had hacked personal data at UK companies and issued ransomware demands, as was expected to his US concerns soon.
KCRA supplied more information, that roughly 415,00 CalSTRS has also been hit, and gave more of an idea of the extent of the breach:
The app’s vulnerability allowed data like first and last names, date of birth and Social Security numbers to be downloaded by an unauthorized third party, CalPERS said. The names of members’ family members could also have been accessed….
But along with retired members and their families, the breach could have also impacted inactive members who soon become eligible for benefits, CalPERS said….
It was not immediately clear if CalPERS has received reports of fraud in connection with the breach. KCRA 3 is also asking why the agency waited until this week to announce the breach.
“I felt just– flabbergasted that they didn’t say anything to anybody before this. We should have known. We should have been able to check our accounts,” said Randy Cheek, legislative director for the Retired Public Employees’ Association of California.
Cheek alludes to the real danger, which the news stories skip over. It’s to identity theft, which can lead to from loans being taken out in your name or even to money hoovered out of your bank account (this happened recently to a friend at Chase to the tune of $25,000).1
Now to the Frost howler about acting quickly. Randy Cheek is correct to complain that beneficiaries had not been warned until it was convenient for CalPERS, right after a regularly closed session where the board was informed of the hacking (note CalPERS has a procedure for emergency board members but staff couldn’t be bothered to treat this matter as important). But on top of that, CalPERS was not willing to use its ransomware policy to pay off the hackers and buy the information back.
After the closed session, CalPERS had a 15 meeting with retirees at the CalPERS. Frost and senior staff did not deign to show, another sign of lack of concern about beneficiary welfare.
On the way out of the side meeting, former board member Margaret Brown accosted Kim Malm, interim deputy executive officer for the Customer Services & Support Section. Other retirees heard this exchange.
Brown asked her why CalPERS had not used its ransomware policy.
Malm said the deductible was $1 million, as if that was too high.
Brown repeated her query, why had CalPERS not triggered the policy.
Malm gave her a blank stare and walked away.
What is the point of paying for insurance and not using it? Is this yet another case of CalPERS expensively buying favors by enriching insurers and their brokers?
Malm’s reaction, which Brown read as no one at CalPERS was even considering putting in a claim under the ransomware policy, suggests either no one had even looked at it since management had decided mere retirees weren’t worth it.
Now it may also be that CalPERS knows the ransomware policy is an empty bag. If so, why pay for it?
CalPERS failed to protect its beneficiaries in other ways:
Why doesn’t PBI have insurance to cover the data breach? There’s no mention in any of the press stories that PBI might be able to cover some of any losses.
Why didn’t CalPERS contract require PBI/Berwyn to have ransomware insurance?
Does CalPERS ransomware insurance cover third parties? If not, it’s even more inexcusable that CalPERS didn’t require its death data vendors to be well covered.
I’ve gotten quite a few upset calls. One prominent retiree wrote me, disgusted about the latest failure under Frost:
I thought [former CEO Fred] Buenrostro [sentenced to 4 1/2 years in Federal prison for embezzlement and other charges] was bad and then came Marcie Frost whose hires and policy decisions stink of incompetencies. The news of the security breach by PBI which has compromised data of retirees such as myself is shattering. As a result of this breach, I sent every CalPERS Board member an email demanding that the Board and Frost meet with membership so we can confront Frost with our questions about the breach. We deserve as much but what I would really like is for the Board to have a vote of no confidence and fire Frost. It won’t happen. Sadly, this Board is as clueless and incompetent as Frost.
Friends working at CalPERS have shared that Frost was responsible for hiring PBI – if that is true it is one more bad decision on her part.
The nepotism, the sweetheart deals with health plans, the embracing of risk management after it failed, and so much more are too exhausting to think about anymore. I am grateful I was able to retire when I did because CalPERS has deteriorated more than I dreamed possible.
Sadly even with the Financial Times picking up on the story, the coverage is suitably bland and completely misses how CalPERS is throwing retirees under the bus out of sheer laziness and perhaps even spite, since it’s the retirees who have been doing what they can to combat corruption and incompetence at CalPERS.
1 One wonders how the crooks figured out which bank to target. But Chase is a big bank, perhaps they just brute forced the top five.