Receive free Cyber Security updates
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
Calpers, the biggest public pension plan in the US, has become the latest organisation to be hit by the MOVEit cyber attack with about 770,000 of its members affected by the global data breach.
In a statement published on its website, the $442bn pension fund alerted its retired members and their families that some of their personal information, including dates of birth and social security numbers, were downloaded during an incident impacting its contracted third-party provider PBI Research Services/Berwyn Group. The incident involved the MOVEit file transfer service.
“On June 6, 2023, PBI notified Calpers that a previously unknown ‘zero-day’ vulnerability in their MOVEit Transfer Application allowed our data to be downloaded by an unauthorised third party,” Calpers said in the statement. A zero-day vulnerability is a security flaw that has not yet been identified or patched by the software provider.
The California-based fund estimates the security incident affected the personal information of about 769,000 members.
“This external breach of information is inexcusable,” said Calpers chief executive Marcie Frost.
“Our members deserve better. As soon as we learned about what happened, we took fast action to protect our members’ financial interests, as well as steps to ensure long-term protections.”
PBI has reported the matter to federal law enforcement and has told Calpers it has resolved the vulnerability while also putting additional security measures in place.
Earlier this month, tens of thousands of employees at some of Britain’s biggest companies had their personal data compromised by a Russian-speaking criminal gang behind the MOVEit hack. At the time, experts said they expected the hack to spread to the US and ensnare more victims.
Prior demands from the suspected Russian gang, dubbed Clop by cyber security experts, have regularly been more than $1mn and as high as $35mn.
The Clop hacking group is known to hunt for vulnerabilities in secure file-transfer software, since companies are often required by law to handle some of their most valuable data with such providers.
MOVEit’s manufacturer informed customers on May 31 that its software had an unknown weakness allowing hackers to steal large amounts of data.
Read the full article here
