IMPORTANT: TIAA Third-Party Data Security Incident

Monday, July 24, 2023

RCUH’s retirement plan provider TIAA has reported that a third-party vendor, Pension Benefit Information, LLC (“PBI”), was affected by the worldwide MOVEit security breach that occurred on or around May 31, 2023. PBI utilizes MOVEit to securely transfer files. Unfortunately, TIAA has confirmed that there are RCUH participants whose personal information was involved. Impacted individuals will receive a letter from PBI over the next few days that will have additional information. Although PBI is unaware of any identity theft or fraud as a result of this event at this time, PBI is offering free credit monitoring for 24 months.

Law enforcement has been notified by PBI, and TIAA Information Security experts are in close contact with the third-party vendor. TIAA stated that it is working diligently to address and remediate this incident as quickly as possible, and shared the update below:

What TIAA knows:

  • This incident involves the MOVEit Transfer software owned by Progress Software and used by our vendor, Pension Benefit Information, LLC (“PBI”).
  • PBI receives personal data of individual participants and clients and matches it against death notices and obituaries to assist TIAA in death claim and beneficiary processes.
  • Personal information from people at your institution is part of this incident: first and last name, address, date of birth, gender and Social Security Number.
  • No information was obtained from TIAA’s systems and TIAA systems are not threatened.
  • We have not observed any related unusual activity from this event involving TIAA accounts.
  • We have reviewed our systems and we are not susceptible to the security vulnerability associated with this security incident.

In the meantime, people should always remain attentive to the possibility of fraud and identity theft. Some of the steps that help protect online interactions include:

  • Enabling multifactor authentication everywhere it is available and not automatically provided. At TIAA, we provide it automatically.
  • Creating a unique password with 12 or more characters for each of their online accounts. Weak and compromised credentials are the most-used attack vector.
  • When you receive an email, stop and look for red flags. The best way to defend against phishing is to assume that every email is part of a phishing attack.
  • Be cautious of urgent requests. Cyberattacks are designed to catch you off guard and trigger you to click links impulsively.
  • Being wary of oversharing personal information online.
  • Being vigilant in spotting email and text phishing attacks, which urgently request personal information for claimed emergencies.
  • Keeping personal contact information current with financial institutions and reporting unusual balance activity immediately.
  • Regularly monitoring credit score and online accounts.
  • Using antivirus software for all devices and updating software, hardware and applications.
  • Securing home networks with unique passwords and setting up a unique PIN for mobile phone SIM cards.
  • Knowing how to report identity theft and cybersecurity incidents.
  • If you’d like to look into the risks and benefits of freezing your credit, visit: https://www.usa.gov/credit-freeze.

If you have additional questions, you may call TIAA at 1-800-842-2252, weekdays from 8:00 AM to 10:00 PM (Eastern Standard Time).