More than 14,000 state workers, retirees affected by mass hack of file-sharing program

Personal information for more than 14,000 state workers and retirees  may be at risk under a mass hacking of a popular file transfer program.

The security breach of software application MOVEit has exposed names, addresses, social security numbers and other personal information for more than 17.5 million people worldwide, with targets including colleges and universities, banks, major energy companies and state motor vehicle registries, according to news reports. 

Data breach could affect 3.5 million Oregonians

The latest victim: the Employees Retirement System of Rhode Island, the state-run investment plan funding pensions for thousands of state and municipal government workers and retirees. A

Michelle Moreno-Silva, a spokeperson for Rhode Island Treasurer James Diossa’s office, said an estimated 13,000 retirees may be impacted by the breach. Add in the 1,600 active state employees at risk, according to Laura Hart, a spokesperson for the Rhode Island Department of Administration, for a total of 14,600 people whose personal information may have been hacked.

That’s because the Teachers Insurance and Annuity Association of America (TIAA), the financial services company acting as a vendor for the state’s defined contribution plan, used MOVEIt for file transfers.

A prior DOA email sent to state employees on July 7, which was obtained by Rhode Island Current, pegged the number of employees affected at 1,200.

The breach did not extend to the state’s secure network for its defined benefit plan, nor did it affect pension payments, according to the original email.

State workers and retirees who have a tax-advantaged retirement plan – known as a 457(b) – or a retirement plan that replaces social security (known as a FICA Alternative Retirement Plan) may have had personal information compromised by the hack, according to the email. Pension Benefit Information, LLC, the TIAA vendor that runs the file transfer program, will contact any affected current or retired or state workers “in the coming weeks” and offer free credit monitoring services, the email said.

“We are providing the best information we have regarding this incident and will update you with additional information as it becomes available,” the email stated.

Additionally, the company has fixed the weakness that allowed the hack to happen, while adding more security measures, according to the state. TIAA is also monitoring the accounts of all state participants, though it has not found “unusual activity” from the MOVEit hack as of Friday, the email said.

The breach comes nearly two years after a ransomware hack into the Rhode Island Public Transit Authority computers compromised personal health information for more than 20,000 current and former state workers. The American Civil Liberties Union of Rhode Island later sued RIPTA and United Healthcare of New England, seeking financial compensation and details on how the breach happened.

The RIPTA data breach and subsequent legislative oversight hearings led to strengthening existing state law around cybersecurity threats. The legislation, enacted on June 27 without Gov. Dan McKee’s signature, requires state and municipal agencies to report security breaches that compromise personal information to employees, including applicable labor unions, within 30 days. They must also provide “remediation services” to those affected.

The law also gives government agencies 24 hours to notify state police, and, when more than 500 people are affected, a 45-day window to tell the attorney general and credit agencies.

Sen. Lou DiPalma, a Middletown Democrat who sponsored the Senate version of the bill, said he was “cautiously optimistic” judging by how the state handled initial notification of the MOVEit breach. However, DiPalma also wanted more details about when the hack happened, when the state found out, and who was affected.

DiPalma suspected that the initial 1,200 estimate of people could grow as the investigation continues, recalling that RIPTA originally estimated its ransomware hack affected 5,000 people, before bumping up its estimate to 17,000, and later, 22,000 people.

“This is a critical issue and it’s only going to continue,” DiPalma said.

The state email referred to TIAA’s customer protection policy and customer service line for those seeking more information.

Meanwhile, Diossa is in “constant communication” with TIAA since being notified of the breach, according to an emailed statement from Moreno-Silva.

“Treasurer James Diossa’s priority is protecting all pensioners, and that includes their private information,” Moreno-Silva said. “Our office has shared guidance on the Treasury website and is sending letters and emails to all those affected. Treasurer Diossa is calling for the involved vendor and subcontractor to make investments in strengthening their cybersecurity protocols.”

Note: This story has been updated to reflect new estimates on the number of employees and retirees affected by the breach.