Cyber Incident Victim: Public School and Education Employee Retirement Systems of Missouri

On September 11, 2021, the Public School and Education Employee Retirement Systems of Missouri (PSRS/PEERS) experienced a security incident involving unauthorized access to an employee’s email account. An external threat actor compromised the account and maintained access for less than one hour before IT personnel detected the intrusion and disabled the account. The breach was contained swiftly after the organization’s security team received an alert prompting immediate action. Investigation revealed the compromised email account contained sensitive personal information of PSRS/PEERS members, including full names and retirement system account numbers. A subset of affected individuals also had their dates of birth exposed. The organization did not specify the exact method of initial access or whether multi-factor authentication (MFA) was enabled on the account at the time of the incident.

PSRS/PEERS notified 349,246 employees and retirees of the breach, confirming the exposure of personally identifiable information but clarifying that Social Security numbers (SSNs) were not stored in the affected email account. This incident occurred separately from another contemporaneous event involving a vulnerability on a Missouri state agency website, where a St. Louis Post-Dispatch reporter discovered publicly accessible teachers’ SSNs. While both incidents impacted Missouri educators, the email compromise at PSRS/PEERS constituted a distinct external breach rather than an inadvertent data exposure. The organization submitted a copy of its breach notification letter to the Maine Attorney General’s Office as part of regulatory compliance efforts. No details were provided regarding forensic findings about the attacker’s identity or motives, nor were specific technical measures implemented post-incident disclosed beyond the account deactivation.