Cyber Incident Victim: Wake Forest University

A global cybersecurity incident involving the MOVEit Transfer software affected two third-party benefits administrators used by Wake Forest University: TIAA, the University’s retirement plan administrator, and Genworth, its Long Term Care Insurance Provider. Both administrators notified Wake Forest that a vendor with which they contract, Pension Benefit Information, LLC (“PBI”), used the compromised MOVEit software. The incident became known to the University around May 31, 2023, following notifications from its partners. TIAA confirmed to the University that some WFU participants had been impacted by this event. At the time of the University’s statement, Wake Forest had not yet received confirmation from Genworth regarding whether any of its participants were specifically impacted.

The core of the incident involved the systems of PBI. This vendor receives participants’ personal data from administrators like TIAA and Genworth to perform a specific service: comparing this data against death notices and obituaries to assist companies with death claims and beneficiary processes, a requirement under law. The unauthorized party gained access to this data by exploiting a vulnerability in the MOVEit Transfer software utilized by PBI. The personal information of individuals impacted by this security breach included names, dates of birth, addresses, gender, and Social Security numbers. This constitutes a significant compromise of sensitive personally identifiable information.

In response to the breach, PBI undertook several specific actions. The company notified law enforcement authorities about the intrusion. It also engaged a third-party cybersecurity and digital forensic specialist to conduct an investigation to identify the full extent of the impact on the data it held. The primary responsibility for direct communication and remediation for affected individuals fell to PBI, as the entity that experienced the direct breach. TIAA informed Wake Forest that PBI would be sending formal notification letters to impacted individuals. Furthermore, PBI committed to providing credit monitoring services to those people whose data was compromised.

Wake Forest University's role was largely that of a communicator and intermediary, as its own systems were not directly breached. The University’s Human Resources department published a detailed statement to inform its employees of the situation on July 1, 2023. The statement outlined the nature of the incident, the involved third parties, and the confirmed impact on some participants. The University emphasized its strong focus on data security and used the occasion to underscore the importance of vigilance. It strongly recommended that individuals review guidelines for safeguarding personal information and proactively monitor their financial accounts and credit histories for any unusual activity.

TIAA provided an additional layer of reassurance to participants, stating that it had not observed any related unusual activity stemming from this event involving its own accounts. This indicated that the breach was contained to the systems of PBI and had not led to a subsequent compromise of the financial accounts held directly with TIAA. The University committed to maintaining ongoing communication with both TIAA and Genworth to gather more information. Wake Forest stated its intention to provide further updates to its employees as more details became available from its benefits administrators and the involved vendor, PBI. The incident highlights the cascading effect of a supply chain attack, where a vulnerability in a single software product used by a vendor can impact the data security of individuals across numerous organizations that rely on that vendor’s services.