Cyber Incident Victim: TIAA

On or around May 29, 2023, Pension Benefit Information, LLC (PBI), a vendor to the financial services firm TIAA Kaspick, LLC, suffered a zero-day exploit in its MOVEIt Transfer server. This incident constituted an external system breach, or hacking. The unauthorized access to the PBI server occurred over a two-day period, from May 29 to May 30, 2023. The breach was not discovered by the vendor until nearly a month later, on June 23, 2023. The specific vulnerability exploited was a zero-day in the MOVEIt file transfer software, a widely used application for secure data transfers.

The primary information acquired in this breach was the name or other personal identifier in combination with the Social Security Number. The total number of individuals affected by this incident at TIAA Kaspick was 27,946 persons, which included 359 residents of the state of Maine. The breach at PBI, as a vendor to TIAA Kaspick, had a cascading effect, exposing data that the firm managed for its own clients. This incident was part of a larger, coordinated series of attacks exploiting the same MOVEIt software vulnerability, impacting numerous organizations nationwide that utilized the application or services from vendors that did.

The University of Utah was one such organization impacted through its relationships with vendors caught in the same widespread attack. The university documented four separate nationwide data breaches all traced back to the MOVEIt Transfer software used by its third-party contractors. One of these incidents was directly linked to the TIAA Kaspick breach. On June 29, 2023, TIAA Kaspick alerted University of Utah Advancement leaders about the security breach that had occurred at the end of May. This incident involved donor records related to the university's planned and legacy giving programs. The investigation determined that approximately 30 donors to the University of Utah were impacted. The personal information exposed included their names, birthdates, and Social Security numbers. The university reported that no other information was compromised in this particular exposure.

In a separate but related incident stemming from the same broader MOVEit exploitation campaign, another University of Utah vendor, TMG Health, Inc., experienced a breach. On June 21, 2023, data security personnel at TMG discovered that an unauthorized external user had accessed a MOVEit file transfer server and downloaded files between May 30 and June 2, 2023. These files potentially contained University of Utah Health Plans member information. Once TMG learned of the unauthorized access, they blocked the user from further access and notified the university's health plan. The investigation concluded that approximately 3,900 patient records were accessed. The potential exposure was significant and could have included mailing address, email address, phone number, date of birth, Social Security Number, medical claims information, banking information, billing information, and/or medical treatment information.

A third data exposure at the University of Utah was also connected to TIAA. On July 7, 2023, TIAA notified University Human Resources that data for current and former employees may have been exposed through a breach at one of its third-party vendors. This exposed data included dates of birth and Social Security numbers for more than 13,800 individuals. A fourth potential incident involved student records managed by the University Registrar through the National Student Clearinghouse, which also used the MOVEit software. However, in an August 9 notice, the National Student Clearinghouse informed the university that their review did not identify any individuals associated with the University of Utah whose Social Security number, student identification number, or date of birth, as provided by the university, was included in the affected files.

The response to the TIAA Kaspick breach involved written notification to all affected individuals. The date scheduled for consumer notification was July 14, 2023. As part of its response, TIAA Kaspick, through its parent company TIAA, offered identity theft protection services to the affected individuals. This offering consisted of two years of free credit monitoring, fraud consulting, and identity theft restoration services provided by the firm Kroll. A dedicated call-line was also established for potentially affected individuals to contact with questions or concerns regarding the incident and the services being offered.

The University of Utah also undertook notification and response actions for the incidents affecting its community. For the health plans member data exposed via TMG Health, University of Utah Health Plans mailed letters to affected members on August 10, 2023. The notification advised potentially impacted members to monitor their accounts, charges, and statements for any discrepancies or services they did not receive and to report any concerns to their local law enforcement or consumer protection agency. UUHP stated it had no indication that member information had been misused. For the advancement donors impacted through TIAA Kaspick, the vendor itself was responsible for notifying all impacted donors or their representatives and for offering each of them two years of free credit monitoring. The university reported that no fraudulent activity related to this breach had been reported at the time. For the large-scale exposure of human resources data, TIAA worked directly with University Human Resources to communicate with the over 13,800 current and former employees whose data may have been exposed. The consequences of these breaches were the potential exposure of highly sensitive personal, financial, and health information, creating a risk of identity theft and fraud for tens of thousands of individuals across multiple institutions. The scope was national, affecting numerous entities that relied on the vulnerable MOVEIt Transfer software or on vendors that utilized it.