MOVEit hack reaches California state workers’ pension fund

The California Public Employees’ Retirement System revealed Wednesday that it is the latest state-government agency to be affected by the compromise of the popular file-transfer software MOVEit, after a third-party vendor fell prey to a hacking campaign from group exploiting a zero-day vulnerability in the software, affecting about 769,000 of the pension plan’s beneficiaries.

The vendor, PBI Research Services, informed CalPERS on June 6 that the vulnerability allowed an unauthorized user to download some of the pension fund’s data, including people’s names, dates of birth and Social Security numbers.

PBI Research provides CalPERS with information about enrollees’ deaths to ensure proper payments and avoid overpayments. According to officials, none of the fund’s IT systems were directly impacted by the MOVEit vulnerability and payments are continuing to go out as scheduled.

CalPERS is the nation’s largest public-employee pension fund, with more than 2 million active members, including current and retired state workers and teachers. It had about $440 billion in assets under management as of June 2022. According to CalPERS’ breach notice, its exposure to the MOVEit hack was limited to retired members and their spouses, who are in the process of being notified.

A ransomware group named Cl0p claimed responsibility for the MOVEit hack, which began May 31 with the exploitation of a previously unknown vulnerability in the file-transfer software, which is used by thousands of public- and private-sector organizations around the world. MOVEit publisher Progress Software has since confirmed two additional vulnerabilities and issued several patches.

The Cl0p group has also started posting some of its private-sector victims’ data on its extortion site, where it also claims to refrain from publishing data stolen from government agencies. According to Brett Callow, an analyst at the antivirus company Emsisoft, CalPERS is the 93rd organization worldwide confirmed to have been impacted by the MOVEit breach.

Callow told StateScoop that list of victims includes 12 in the U.S. public sector — among them, agencies in at least six other states as well as the Department of Energy — five American universities and eight other public-sector entities around the world.

Progress Software was hit Wednesday by a proposed class-action lawsuit led by three customers of the Louisiana Office of Motor Vehicles, one of the first state agencies to confirm its exposure to the MOVEit hack. The plaintiffs claim Progress failed to properly implement data security tools and monitor its network, and are seeking monetary damages and lifetime credit monitoring.

PBI Research, the vendor linked to the CalPERS data breach, also counts among its customers the pension plans for public-sector workers in Nevada, New Jersey and Tennessee, according to the company’s website.