Cyber Incident Victim: Employees' Retirement System of Rhode Island

The Employees’ Retirement System of Rhode Island (ERSRI) was affected by a significant cybersecurity incident involving a mass exploitation of a vulnerability in the MOVEit file transfer program. The incident was disclosed to ERSRI by TIAA, the financial services company acting as the vendor for the state’s Defined Contribution Plan. TIAA utilized a subcontractor, Pension Benefit Information, LLC (PBI), which employed the MOVEit application for its file transfer operations. PBI’s role involved receiving personal data of individual participants and clients to match it against death notices and obituaries, thereby assisting TIAA in death claim and beneficiary processes. The core of the incident stemmed from a previously existing vulnerability within PBI’s MOVEit Transfer Application, which allowed an unauthorized third party to download data. PBI notified TIAA of this breach, disclosing that they had communicated the specific impacts to federal law enforcement and their institutional clients, including TIAA. Following the discovery, PBI reported that it had resolved the vulnerability and implemented additional security measures to prevent future occurrences.

The personal information compromised in this breach was extensive and sensitive. It included the first and last names, addresses, dates of birth, social security numbers, and gender of affected individuals. The scope of impact was broad, encompassing a specific subset of participants associated with the TIAA-managed Defined Contribution Plan. This group included participants with a TIAA plan account balance greater than zero dollars who had not made a contribution to their account within the last ninety days. Former employees who had contributed to their TIAA plan in the past and still maintained an account balance were also included, as were current employees who were not currently contributing but had done so previously. Furthermore, participants who were receiving retirement income payments from some, but not all, of their TIAA plan account assets were affected, including those who were receiving such payments while simultaneously making current contributions to their accounts. Initial state communications provided varying estimates on the number of individuals impacted. An email from the Rhode Island Department of Administration sent on July 7th initially estimated that 1,200 state employees were affected. However, subsequent statements from state officials revised this figure significantly. A spokesperson for the Rhode Island Treasurer’s office stated an estimated 13,000 retirees were impacted, while a spokesperson for the Rhode Island Department of Administration confirmed an additional 1,600 active state employees were at risk, bringing the total estimated number of affected individuals to 14,600.

It is critically important to distinguish the systems involved in this breach. The incident was isolated to the file transfer processes managed by TIAA's vendor, PBI, and did not constitute a direct breach of ERSRI's own secure networks. The defined benefit plan, which is the primary pension system managed directly by ERSRI, remained entirely secure and unaffected. Officials explicitly confirmed that there was no unauthorized access to the ERSRI secure network, meaning no member or beneficiary accounts or financial information within the Defined Benefit Plan were compromised. Consequently, pension payments for all retirees continued without any interruption or effect from the cybersecurity event. The financial and operational integrity of the core state pension system was maintained throughout.

Upon being notified of the breach, the state response was coordinated through the Treasurer’s office. Treasurer James Diossa was stated to be in constant communication with TIAA following the notification. The priority of the Treasurer’s office was articulated as protecting all pensioners and their private information. In response to the incident, the office shared guidance on the Treasury website and undertook efforts to send letters and emails to all those affected. Furthermore, Treasurer Diossa called for the involved vendor and subcontractor to make investments in strengthening their cybersecurity protocols to prevent similar future incidents. For their part, TIAA assured ERSRI that they were continuously monitoring all participant accounts and had not detected any unusual activity attributable to the MOVEit incident at the time of the initial notification. TIAA also stated it was monitoring online account access and registration and had measures in place to deny access as needed, directing participants to their customer protection policy for more information.

The responsibility for remediation and direct communication with the affected individuals fell to PBI, the originating point of the breach. PBI committed to sending formal letters to the members and beneficiaries whose information was involved in the coming weeks after the incident. These letters were to include an offer of free credit monitoring services to help individuals protect themselves from potential identity theft or fraud. In the interim period before these letters were distributed, affected individuals were advised to remain vigilant by regularly reviewing and monitoring their accounts and credit history for any signs of unauthorized transactions or activity. They were directed to resources on how to protect their identity provided by the Consumer.gov website and instructed to contact their local police if they ever suspected they were a victim of identity theft or fraud. TIAA’s customer service line was also provided as a point of contact for individuals with questions, available from 8:00 a.m. to 8:00 p.m. Eastern Standard Time.

This incident occurred against a backdrop of heightened awareness regarding cybersecurity within Rhode Island state government, following a prior major ransomware attack on the Rhode Island Public Transit Authority (RIPTA) computers nearly two years earlier. That earlier breach had compromised personal health information for over 20,000 current and former state workers and led to litigation and subsequent legislative action. The state's response to the MOVEit breach was an early test of new legislation enacted on June 27th, just before this incident became public. This strengthened law requires state and municipal agencies to report security breaches that compromise personal information to employees and applicable labor unions within 30 days. The law also mandates that government agencies provide “remediation services” to those affected, notify state police within 24 hours, and, when more than 500 people are affected, inform the attorney general and credit agencies within 45 days. A state senator who sponsored the legislation noted that the initial handling of the MOVEit breach notification seemed promising but also expressed a desire for more detailed information regarding the timeline of the hack and its discovery. He also cautioned that the number of affected individuals could potentially increase as the investigation continued, drawing a parallel to the RIPTA incident where initial estimates were far lower than the final count.