What You Need to Know
- The suit was filed by former and current employees of companies that used TIAA to process benefits.
- The plaintiffs were never informed by TIAA that their personal data had been compromised, according to the suit.
- MOVEit, a file transfer system used by a third party, disclosed a major vulnerability that was exploited by a cybercriminal.
TIAA is being sued for a data breach related to the ongoing cyberattack exploiting MOVEit file-transfer software, which has been reported to have taken a toll on U.S. colleges and universities.
TIAA was hit with a data breach class action on Monday in the U.S. District Court for the Southern District of New York.
The suit was brought by Andre Lopez on behalf of former and current employees of companies that used TIAA to process benefits. The law firm Israel David LLC is representing the plaintiffs.
According to the suit, TIAA failed to properly secure and safeguard personally identifiable information, or PII, including but not limited to: “plaintiff’s and Class members’ name, Social Security number, gender, date of birth, and physical address.”
TIAA hired an entity called PBI, a vendor that provides search tools to financial services institutions such as TIAA, the suit states. PBI, in turn, hired PSC, a software company, for the storage and transfer of TIAA’s client data entrusted to PBI.
PBI uses PSC’s MOVEit file transfer services for a variety of purposes, including the transfer of Plaintiff’s and Class members’ personal data.
“Like millions of Americans, Plaintiff’s and the Class members’ PII was given to TIAA for financial purposes and was entrusted by TIAA to PBI,” the suit states.