TIAA Hit With Class-Action Suit Over MOVEit Hack

InsuNews August 8, 2023
The rear view of a person in a hoodie, working on a computer.

In undertaking this responsibility, the suit continues, “TIAA and PBI were both obligated to only hire vendors who maintain adequate data security practices and PSC is obligated to ensure than their file transfer systems — like MOVEit — are secure.”

However, “due to a significant and troubling vulnerability in PSC’s MOVEit software, the PII entrusted by TIAA to PBI by over 2,300,000 retirees, pension holders, and other financial customers was compromised,” the suit states.

According to the Notice of Data Breach received by Lopez, which was received not from TIAA but from PBI, on or around May 31, 2023, “PSC’s MOVEit software disclosed a major vulnerability that was exploited by an unauthorized cybercriminal,” the suit states.

“Over the course of investigating, PBI, who uses PSC in order to transfer files of TIAA’s clients using the MOVEit software system, discovered that, between May 29, 2023, and May 30, 2023, third-party cybercriminals not only exploited the MOVEit software but downloaded and exported the data of Plaintiff and Class members,” the suit explains.

The data breach “was likely perpetrated by a well-known cybergang called Clop,” the suit states. “The modus operandi of a cybergang like Clop is to offer for sale (on the dark web) unencrypted, unredacted private information like the PII of Plaintiff and the Class members.”

Due to the hack, David and the other class members “are in imminent harm of identity theft and other identity-related crimes,” the suit states.

“To compound matters,” the suit continues, TIAA’s conduct following the breach “has been woefully insufficient” in the following areas:

See also  'All Cases Are Important,' SEC's Gensler Says

TIAA did not inform the plaintiff directly of the harm he suffered due to the breach;
PBI did not disclose the data breach to those affected until nearly six weeks after the breach was first discovered;
the Notice of Data Breach did not disclose the specifics of the attack or any measures taken to ensure the protection of PII; and
TIAA did not offer remediation. PBI offered “a meager 24 months of identity theft protection for victims of the Data Breach,” according to the suit.

More Stories

Protective Life Insurance | Company Review

InsuNews November 4, 2024
How Does Commercial Auto Insurance Work And What Is It?

How Does Commercial Auto Insurance Work And What Is It?

InsuNews November 4, 2024

How do I convince my mom to get life insurance?

InsuNews November 3, 2024

You may have missed

Scooters Reepham

Snappy dressers talk scooters, mods and fashion

InsuNews November 5, 2024
Is Amazon’s robotaxi company trying to sidestep federal safety laws?

Is Amazon’s robotaxi company trying to sidestep federal safety laws?

InsuNews November 5, 2024
USAA logo

USAA secures $450m of reinsurance with upsized Residential Re 2024-2 cat bond

InsuNews November 4, 2024
5 cyber insurance claims: Real-world examples every business should know

5 cyber insurance claims: Real-world examples every business should know

InsuNews November 4, 2024

Help!My husband will have surgery with out of network costs, which is in network with my plan!

InsuNews November 4, 2024