Close Close
Sign In
Newsletters
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards
Podcast Center Video Center Webcasts Resource Center Events
About ThinkAdvisor Contact Us Advertise With Us Asset & Logo Licensing Sitemap Terms of Service Privacy Policy Copyright © 2024 ALM Global, LLC. All Rights Reserved.
ThinkAdvisor
The rear view of a person in a hoodie, working on a computer.

Regulation and Compliance > Cybersecurity

TIAA Hit With Class-Action Suit Over MOVEit Hack

By Melanie Waddell

X
Your article was successfully shared with the contacts you provided.

What You Need to Know

  • The suit was filed by former and current employees of companies that used TIAA to process benefits.
  • The plaintiffs were never informed by TIAA that their personal data had been compromised, according to the suit.
  • MOVEit, a file transfer system used by a third party, disclosed a major vulnerability that was exploited by a cybercriminal.

TIAA is being sued for a data breach related to the ongoing cyberattack exploiting MOVEit file-transfer software, which has been reported to have taken a toll on U.S. colleges and universities.

TIAA was hit with a data breach class action on Monday in the U.S. District Court for the Southern District of New York.

The suit was brought by Andre Lopez on behalf of former and current employees of companies that used TIAA to process benefits. The law firm Israel David LLC is representing the plaintiffs.

According to the suit, TIAA failed to properly secure and safeguard personally identifiable information, or PII, including but not limited to: “plaintiff’s and Class members’ name, Social Security number, gender, date of birth, and physical address.”

TIAA hired an entity called PBI, a vendor that provides search tools to financial services institutions such as TIAA, the suit states. PBI, in turn, hired PSC, a software company, for the storage and transfer of TIAA’s client data entrusted to PBI.

PBI uses PSC’s MOVEit file transfer services for a variety of purposes, including the transfer of Plaintiff’s and Class members’ personal data.

“Like millions of Americans, Plaintiff’s and the Class members’ PII was given to TIAA for financial purposes and was entrusted by TIAA to PBI,” the suit states.

In undertaking this responsibility, the suit continues, “TIAA and PBI were both obligated to only hire vendors who maintain adequate data security practices and PSC is obligated to ensure than their file transfer systems — like MOVEit — are secure.”

However, “due to a significant and troubling vulnerability in PSC’s MOVEit software, the PII entrusted by TIAA to PBI by over 2,300,000 retirees, pension holders, and other financial customers was compromised,” the suit states.

According to the Notice of Data Breach received by Lopez, which was received not from TIAA but from PBI, on or around May 31, 2023, “PSC’s MOVEit software disclosed a major vulnerability that was exploited by an unauthorized cybercriminal,” the suit states.

“Over the course of investigating, PBI, who uses PSC in order to transfer files of TIAA’s clients using the MOVEit software system, discovered that, between May 29, 2023, and May 30, 2023, third-party cybercriminals not only exploited the MOVEit software but downloaded and exported the data of Plaintiff and Class members,” the suit explains.

The data breach “was likely perpetrated by a well-known cybergang called Clop,” the suit states. “The modus operandi of a cybergang like Clop is to offer for sale (on the dark web) unencrypted, unredacted private information like the PII of Plaintiff and the Class members.”

Due to the hack, David and the other class members “are in imminent harm of identity theft and other identity-related crimes,” the suit states.

“To compound matters,” the suit continues, TIAA’s conduct following the breach “has been woefully insufficient” in the following areas:

  • TIAA did not inform the plaintiff directly of the harm he suffered due to the breach;
  • PBI did not disclose the data breach to those affected until nearly six weeks after the breach was first discovered;
  • the Notice of Data Breach did not disclose the specifics of the attack or any measures taken to ensure the protection of PII; and
  • TIAA did not offer remediation. PBI offered “a meager 24 months of identity theft protection for victims of the Data Breach,” according to the suit.

For a list of life insurance and retirement-related organizations affected by the MOVEit breach, as of Aug. 21, 2023, see MOVEit Hack Hit These Life, Annuity and Retirement Firms.

Melanie Waddell

@Think_MelanieW

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.