CalPERS CEO gives update on data hack that exposed Social Security numbers, birth dates

CalPERS CEO gives update on data hack that exposed Social Security numbers, birth dates
Maya Miller
Tue, July 18, 2023 at 12:14 a.m. GMT+1·6 min read

Jay Mather/Sacramento Bee file
The California Public Employee and Retirement System launched its three-day offsite meeting in Monterey with a long-awaited update on a June data breach that exposed Social Security numbers, birth dates and other personal information on nearly 1.2 million retirees and other beneficiaries.

The update follows a call from California State Treasurer Fiona Ma, who sits on both the CalPERS and CalSTRS boards, for the nation’s two largest public pension funds to hold special meetings and provide members with an update on the organization’s response to the breach.

“We know what an unsettling experience this has been for our retirees,” said CalPERS CEO Marcie Frost less than five minutes after the board convened at 9 a.m. “So, I want to address what we’re doing to make the recovery process as smooth as possible for them.”

The third-party vendor that was hacked, PBI Research/Berwyn Group, works with CalPERS and the California State Teachers’ Retirement System to identify any members who have died, which helps the agencies prevent overpayments or other errors.

CalPERS said that PBI was using a data transfer application called MoveIt Transfer, made by Progress Software, that organizations around the nation use to share data securely. The application boasts encryption, tracking and access controls for secure collaboration and automated transfers.

In the Monday update, Frost said CalPERS has received nearly 4,000 calls about the breach at its own customer contact center. The average wait time is one minute, she said. Retirees can also send in questions to the email address [email protected], which Frost said is monitored by CalPERS managerial staff. The average wait time for an email response is less than 24 hours, she said.

The pension fund also established a special call center with Experian, which has fielded nearly 34,000 calls. Callers were experiencing “alarming” wait times, Frost said, so last weekend the call center added 50 more representatives to help bring wait times back down to one to two minutes.

So far, about 122,000 CalPERS retirees have signed up for two years of free credit monitoring and identity restoration services through Experian. Frost said this represents a higher-than-expected response, according to Experian, when compared to other companies that it’s worked with following data breaches. (Frost noted that these companies were largely private employers, rather than public pension funds.)

Frost suggested members could find answers to their questions at calpers.ca.gov/page/home/pbi. She encouraged people who need more help to send an email to [email protected] or contact the CalPERS call center at (833)-919-4735. The hours are 6 a.m. to 8 p.m. on weekdays and 8 a.m. to 5 p.m. on weekends.

“We realize how sensitive this situation is,” Frost said, “and again, we want to reassure our retirees that we’ll do everything possible to help them through the situation.”

Retirees say CalPERS isn’t doing enough
Devara “Dev” Berger, a retiree who used to work for CalPERS overseeing health legislation, didn’t know that the board would provide an update at its offsite meeting. When she looked at the agenda, she saw no indication that the board would discuss the breach or take public comments from members.

“CalPERS is foisting the majority of action about the breach onto us,” Berger said. “That is what infuriates us. That shows a complete lack of integrity and leadership.”

Berger is upset that the pension fund’s board hasn’t heeded the state treasurer’s request to host a public hearing or town hall where members can directly engage with board members.

“I’m not buying into it,” Berger said. “I’m not buying into CalPERS telling me ‘c’est la vie.’”

The board planned to take questions at its June meeting, but then it ended the question period “for the board’s convenience,” according to former board member J.J. Jelincic, who attended the meeting.

This came after stakeholders had been forced to wait as the board repeatedly extended a closed session meeting, Jelincic said, making attendees wait two hours after initially saying it would be 20-30 minutes.

CalPERS spokesman Brad Pacheco told The Bee at the time that staff ended the stakeholder briefing because many attendees had come to hear about the proposed 2024 health care rates. The board’s Pension & Health Benefits Committee was starting a meeting where those rates would be discussed, and staff didn’t want to overlap meetings.

At Monday’s meeting, two members spoke in-person during the public comment section after Frost’s update about the data breach. Former board member Margaret Brown wanted to know whether PBI or CalPERS received a ransomware demand from the hackers, and whether the pension fund’s ransomware insurance covered that demand.

The board didn’t provide an answer.

“Two years is not enough time to protect us.” Brown said, referring to Experian’s two-year credit monitoring and identity restoration program. “Now, 769,000 members have all their data out there in the public – forever. Not for two years. Forever.”

Why does CalPERS contract with PBI?
In her update, Frost also addressed the question of why CalPERS contracts with PBI in the first place. She said PBI provides the most timely and accurate information about retiree deaths, which prevents overpayment of benefits. An internal CalPERS audit from 2021 found that the pension fund had failed to recover nearly $42 million in payments to about 22,000 dead people.

Death records are maintained by each individual state, and CalPERS previously used the Social Security Administration’s “Death Master File” to obtain verification of retiree deaths, according to a letter from Keith Riddle, the then-chief of the Disability and Survivor Benefits Division in response to the audit. But in 2011, the federal administration prohibited public pension plans from accessing state death records.

Social Security now only provides access to the full file of death information, which includes state death records, to “certain federal and state agencies.” CalPERS submitted an application in 2020, according to Riddle’s letter, but was denied because its benefits are not fully funded by the state.

The federal administration also sells a “Limited Access DMF,” which still excludes death records provided through contracts with states, to agencies and businesses that engage in fraud prevention. One such subscriber is The Berwyn Group, which the pension fund has contracted with since 2011 after the Social Security Administration made the change.

In February 2022, CalPERS entered a contract with PBI Research in order to access even more data and compile a complete picture of retiree death information. (Berwyn Group and PBI Research are currently in the process of merging.) Frost said the data that CalPERS shared with PBI was fully encrypted “from our end.”

“There’s a very small community of vendors that actually do this type of work,” Frost said. “The moment we made the decision that this data would leave,” she continued, “we placed this data in the hands of a vendor who we had a trusted and very strong contract with.”

Frost would not elaborate further, citing a pending class-action lawsuit from two pensioners in San Francisco federal court.