TIAA Retail Customer Data Exposed in Vendor Breach

What You Need to Know

Data for nearly 9,000 retail customers was exposed but no known fraud has occurred, TIAA told customers.

Personal information for almost 9,000 retail TIAA and TIAA-CREF Life Insurance customers was exposed in a hack that appears related to a breach that caught other financial services firms, according to a disclosure filed Friday with the Maine attorney general’s office.

A TIAA support services vendor, Infosys McCamish Systems, was breached between Oct. 29 and Nov. 2, when IMS discovered the hack, according to a letter from TIAA to affected customers.

When IMS became aware of the incident, it retained a third-party cybersecurity expert to investigate and assist with containment, the letter reported. “IMS implemented additional security controls and restored full services in December and has found no evidence of continued threat actor access in its environment.”

Neither TIAA nor IMS is aware of any fraudulent use of the hacked personal information, but IMS has secured free security monitoring for customers for two years, the letter says. The services include identity theft restoration, $1 million in identity fraud loss reimbursement and fraud consultation.

Earlier in September, IMS told the Maine attorney general that a cyberattack last year had affected data for over 6 million customers at several financial services firms, including T. Rowe Price Retirement Plan Services and New York Life Group Benefits Solutions.

Principal Life Insurance Co., Prudential Insurance Co. of America and Oceanview Life and Annuity Co. were cited in earlier IMS disclosures starting in June.