Cyber Incident Victim: New Hampshire Retirement System

The New Hampshire Retirement System (NHRS) experienced a cybersecurity incident involving the exposure of annuitant data due to a vulnerability within a third-party service provider. The incident did not involve a direct breach of NHRS's own computer systems or networks, which remained uncompromised and unaffected throughout the event. NHRS was recently notified by its service provider, PBI Research Services (PBI), that an application utilized by PBI for data transfers, called MOVEit, contained a vulnerability that potentially enabled unauthorized individuals to access data being handled using that application. Because PBI employed the MOVEit application to manage NHRS data as part of its service provision, the vulnerability presented a risk to the information belonging to NHRS retirees and beneficiaries.

PBI Research Services provides audit and address research services for a variety of entities, including insurers, pension funds, and similar organizations. In its capacity as a vendor for NHRS, PBI handled specific data sets related to the retirement system's annuitants. The data involved in this incident includes the names, dates of birth, zip codes, and Social Security numbers of NHRS retirees and beneficiaries who are in receipt of a monthly benefit. This personal information was exposed as a direct result of the vulnerability found within the MOVEit file transfer tool used by PBI, not due to any failure or intrusion within the NHRS infrastructure.

The MOVEit compromise is part of a larger, widely reported cybersecurity event that has affected a substantial number of organizations across various industries, including other state pension plans. The scope of this widespread incident underscores that the vulnerability was not isolated to PBI or NHRS but was a systemic issue with the software itself. Following the discovery of this vulnerability, the developer of MOVEit deployed a patch designed to eliminate the security flaw and prevent further unauthorized access. The widespread nature of the incident indicates that multiple entities utilizing the MOVEit application were potentially impacted by the same security vulnerability.

Notification of the affected individuals is being handled directly by PBI, the third-party vendor at the center of the data exposure. PBI is responsible for notifying the impacted NHRS retirees and beneficiaries by mail within the weeks following the August 8th announcement. All notification letters from PBI are dated August 3rd and contain crucial information for the recipients. The letter includes details on how to enroll in free credit monitoring and identity restoration services offered through Kroll, a leading provider of cybersecurity services. Each letter provides a unique membership number and instructions for signing up for these protective services. Eligible individuals have until November 1, 2023, to enroll in the free services provided as a remedial measure following the data exposure.

NHRS has taken steps to communicate the incident to its community, expressing regret that its service provider was involved in the broader MOVEit incident and emphasizing the importance of the offered credit and identity protection services. The retirement system has established a dedicated contact email, [email protected], to address questions from concerned retirees and beneficiaries. NHRS has stated that it respects the privacy and security of all its members and is treating the matter with seriousness, despite the incident originating entirely outside of its direct control and infrastructure.

The incident highlights the inherent risks associated with third-party vendor relationships and the reliance on external software applications for handling sensitive data. While NHRS's own systems were not compromised, the data it entrusted to a vendor for audit research purposes was exposed due to a vulnerability in a software product used by that vendor. This chain of dependency illustrates how a security failure at one point in a supply chain can impact multiple downstream organizations and their constituents. The response involves coordinated efforts between the software vendor, who issued a patch, the third-party service provider, who is managing notifications and remediation offers, and the primary organization, NHRS, which is communicating transparently with its affected population.

The data exposed is considered highly sensitive, primarily due to the inclusion of Social Security numbers alongside other personal identifiers such as names and dates of birth. This combination of information is particularly valuable for malicious actors seeking to commit identity theft or financial fraud, which is why the offering of credit monitoring services is a standard and recommended response to such breaches. The limitation of the exposure to retirees and beneficiaries receiving monthly benefits, as opposed to all NHRS members, defines the scope of the impact within the broader NHRS community.

NHRS, which provides retirement, disability, and death benefits to eligible members and their beneficiaries, serves a substantial population. The system has approximately 48,500 active members and 42,000 benefit recipients, with the incident specifically impacting a subset of the latter group. The State of New Hampshire and more than 460 local government employers participate in NHRS for their employees, teachers, firefighters, and police officers. The integrity of the system's operational data and its internal networks was maintained throughout this event, as the incident was wholly contained within the systems of a third-party vendor.

The timeline of the incident involves NHRS being notified by PBI after the service provider itself discovered its involvement in the wider MOVEit exploitation. The public announcement by NHRS was made on August 8, 2023, with notification letters from PBI being mailed to affected individuals in the subsequent weeks. The letters, though mailed after August 8th, carry an August 3rd date. The offer for credit monitoring services remains available for enrollment until November 1st, providing a defined period for impacted individuals to take advantage of the protective measures. The incident serves as a case study in managing the fallout from a supply chain cybersecurity incident where the primary entity’s security posture was robust, but a weakness in a vendor’s chosen software led to a data compromise. The response is characterized by a clear delineation of responsibility, with the vendor handling the direct remediation for the individuals whose data they were processing, while the primary organization facilitates communication and encourages its constituents to participate in the protective offerings.