US Pension Fund Hit By MoveIT Vulnerability

The California Public Employees’ Retirement System, Calpers, the biggest public pension plan in the US, is now the latest organisation to be hit by the MOVEit cyber attack with about 769k of its members affected by the global data breach.

The hackers also may have stoled the information on Calpers members’ former or current employers, spouses or domestic partners, and children. All types of retirees are affected, whether they worked for the state, public agencies, school districts, in the courts or in the California legislature.

In a statement published on Calpers website, the $442bn pension fund has told its retired members that some of their personal information, including dates of birth and social security numbers, were stolen in a damaging supply chain exploit. It blamed the breach on a third-party vendor that verifies deaths. The same vendor, PBI Research Services/Berwyn Group, also lost the personal data of at least 2.5 million Genworth Financial policyholders, including Social Security numbers, to the same criminal gang, according to the Fortune 500 insurer.

The hack involved a vulnerability in the MOVEit file transfer service from the Progress software company, who informed customers on May 31 that its software had an unknown weakness enabling hackers to steal large amounts of data.

“On June 6, 2023, PBI notified Calpers that a previously unknown ‘zero-day’ vulnerability in their MOVEit Transfer Application allowed our data to be downloaded by an unauthorised third party,” Calpers said in the statement. A zero-day vulnerability is a security flaw that has not yet been identified or patched by the software provider.

Calpers chief executive Marcie Frost commented .“This external breach of information is inexcusable... Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”

PBI has reported the matter to federal law enforcement and has told Calpers it has resolved the vulnerability while also putting additional security measures in place. Earlier this month, tens of thousands of employees at some of Britain’s biggest companies had their personal data compromised by a Russian-speaking criminal group, known a CLOP, understood to be behind the MOVEit hack, which has quickly spread to the US

Prior demands from the suspected Russian gang, which has been called Clop by cyber security experts, have regularly been more than $1m and as high as $35m. The Clop hacking group is known to hunt for vulnerabilities in secure file-transfer software, since companies are often required by law to handle some of their most valuable data with such providers.

Govtech:     KCRA:         FT:     Fox:    CBS:    SacBee

You Might Also Read: 

Cyber Security & The  Financial Services Industry:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 


Cyber Security Intelligence: Captured Organised & Accessible


 

« Twenty Million Scam Emails Reported In Britain
Canada Challenges Meta Over Access To News »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Micron Technology

Micron Technology

Micron is a global leader in the semiconductor industry providing memory and secure storage devices for Networks, Mobile devices and IoT applications.

StratoKey

StratoKey

StratoKey is an intelligent Cloud Access Security Broker (CASB) that secures your cloud and SaaS applications against data breaches, so you can do secure and compliant business in the cloud.

OnSystem Logic

OnSystem Logic

OnSystem Logic has developed a unique, patent-pending solution to solve the problem of the exploitation of flaws in application software as a technique for cyber attacks.

CynergisTek

CynergisTek

CynergisTek is a top-ranked cybersecurity and information management consulting firm dedicated to serving the healthcare industry.

Hypersecu Information Systems

Hypersecu Information Systems

Hypersecu Information Systems, Inc. is a solution provider dedicated to multi-factor authentication, public key infrastructure and software copyright protection.

International Accreditation Forum (IAF)

International Accreditation Forum (IAF)

The IAF is the world association of Conformity Assessment Accreditation Bodies. Its primary function is to develop a single worldwide programme of conformity assessment.

Riddle&Code

Riddle&Code

Riddle&Code is a product-led services company specializing in onboarding industries to Web3. The team's mission is to provide a trusted connection between the digital and physical worlds.

Ampliphae

Ampliphae

Ampliphae gives you an easy-to-deploy, sophisticated and affordable cloud-discovery, security and compliance platform.

VectorRock

VectorRock

Save Your Business From Cyber Criminals. We specialize in uncovering cyber risks which threaten your organization and fixing them.

Magna5

Magna5

Magna5 is a managed IT service provider focusing in network and server monitoring, backup and disaster recovery, cybersecurity, help desk and SD-WAN.

Primary Guard

Primary Guard

Primary Guard provides IT solutions and computing technologies that help minimize impact from cyber threats, improve business efficiency and maintain essential functions during or after a disaster.

Avocado Consulting

Avocado Consulting

Avocado helps clients deliver with certainty on their complex IT change, with technology services that automate, monitor and optimise.

Olympix

Olympix

Dev-first Web3 security that starts at the source. Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.

HaystackID

HaystackID

HaystackID provides industry-leading computer forensics, eDiscovery, and attorney document review experts to help with complex, data-intensive investigations and litigation.

Airlock Digital

Airlock Digital

Airlock Digital was created after many years of experience in implementing whitelisting/ allowlisting solutions in Federal Government and various enterprises in Australia.

StepSecurity

StepSecurity

StepSecurity provides a comprehensive security platform for GitHub Actions.