CalPERS & CalSTRS' Third-Party Data Breach - SDCERS Not Impacted

Date: Jul 18, 2023


CalPERS and CalSTRS have informed its retired members and beneficiaries that their personal information may have been involved in a data breach. Neither CalPERS nor CalSTRS’ own information systems were compromised. However, PBI Research Services/Berwyn Group, a third-party vendor that both retirement systems contracted with to identify member deaths, used the file transfer application MOVEit, which was the subject of the breach. The app’s vulnerability allowed certain personally identifiable information, such as names, dates of birth, and social security numbers, to be downloaded by an unauthorized party. Overall, it has been reported that approximately 769,000 retired CalPERS members and 415,000 CalSTRS members and beneficiaries were affected.
As soon as the data breach was reported, SDCERS staff immediately ensured that our own systems remain secure, and that our contracted vendors were not affected by this worldwide data security incident. Although SDCERS was not impacted by this incident, members who are also members of CalPERS may be affected. CalPERS notified those who were affected via mail, but SDCERS does not have any specific information about the identities of those individuals. Therefore, in an effort to continue protecting your private information and SDCERS account details, we have internally flagged the accounts of all SDCERS retirees who have requested reciprocity with CalPERS. If a member with a flagged account contacts SDCERS, our Call Center has been instructed to be extra vigilant when confirming the identity of the caller before releasing any information. If the caller is unable to satisfactorily answer the security questions, the call will be escalated to a supervisor.
To reiterate, SDCERS was not impacted by this cybersecurity incident and your private information remains secure. Further, SDCERS maintains effective safeguards to prevent these types of security breaches. In fact, SDCERS’ network recently underwent an annual penetration test, which includes a scan of all systems and devices connected to our network to identify security vulnerabilities. The results were very positive and the testing vendor stated, “the SDCERS network was observed as extremely secure.” This test was in addition to our regular Department of Homeland Security scans, internal scans, WhiteHat weekly external penetration testing, and audits performed by our external and internal auditors.


Document Under Categories: News Articles, Press Release