CalPERS PBI Data Breach - Frequently Asked Questions
Time is running out to take advantage of CalPERS' offer of two years of free credit monitoring.
In June, CalPERS sent a letter informing you that a third-party vendor, PBI Research Services/Berwyn Group (PBI), was involved in a cybersecurity breach. As a result, the personal information of retirees — including their first and last name, date of birth, and Social Security Number — was downloaded. The breach could have also included the names of former or current employers, spouses or domestic partners, and children, but not their Social Security Numbers.
You have until Sept. 30 to sign up for the free credit monitoring services offered in your letter.
Right now, about 20% of CalPERS retirees have signed up for this important protection. While that far exceeds the average number of people (4-6%) who sign up for credit monitoring when a Social Security Number is involved, it means many members have not acted yet.
CalPERS encourages you to activate your membership and start monitoring your personal information as soon as possible. Here are the steps to follow:
- Visit the Experian IdentityWorks website
- Select the Get Started button, then enter the personal activation code included in your June 22 letter
- Use your full email address as your username.
You must enroll by Sept. 30, as your code will expire after this date.
You can also enroll over the phone by calling (833) 919-4735, Monday through Friday from 6 a.m. to 8 p.m. PT and Saturday and Sunday, 8 a.m. to 5 p.m. PT (excluding major holidays).
- Have the CalPERS engagement number B097509 and the personal activation code in your letter ready when calling.
- If you need your personal activation code, send an email to PBIquestions@calpers.ca.gov, along with your name and 10-digit CalPERS identification number, or you can contact the CalPERS Call Center at 888 CalPERS (or 888-225-7377) to get your code.
Frequently Asked Questions
Why did PBI need CalPERS' confidential info?
CalPERS has a fiduciary responsibility to ensure proper payments are made to retirees and beneficiaries, and to prevent instances of overpayments or other errors. PBI provided services to us to identify member deaths to prevent instances of overpayments or other errors. PBI also validated information on inactive members who may have soon been eligible for benefits.
How significant was this cybersecurity breach?
The hackers exploited a vulnerability in the MOVEit software program, which was used by PBI and many other groups. In addition to impacting the personal information of 769,000 CalPERS retirees, this cybersecurity breach reportedly includes more than 1,000 organizations and more than 65 million people worldwide. While we don’t have a comprehensive list of all the companies involved, we have heard from members who have received several notices from different companies related to the incident.
Was a ransom demand made to either PBI or CalPERS?
Due to the highly sensitive nature of this incident, we don’t discuss how we respond to security threats. This is in alignment with Government Code section 7929.210 of the California Public Records Act, in accordance with which we refrain from disclosing information security records that may reveal vulnerabilities to, or otherwise increase the potential for an attack on, our information technology systems or practices.
Has CalPERS heard that anyone’s information has been exposed yet?
CalPERS has seen reports where the group claiming responsibility for this breach has reportedly posted information from some of the organizations that were breached.
Will CalPERS initiate a class action lawsuit for members?
CalPERS is considering all legal options.
Why am I getting two years of credit monitoring?
We’re offering all individuals with impacted personal information two years of complimentary credit monitoring and identity restoration services through Experian. These services meet or exceed state law requirements in the small number of states where such requirements exist following a cybersecurity event.
Credit monitoring keeps a daily watch on your credit report for any changes that can be linked to fraudulent activity. It works by sending you alerts when there is suspicious activity or changes in your credit, making it easy for you to stay on top of your personal and financial information. Keeping track of the changes in your report can give you enough time to repair any issues that might be a factor when applying for new credit. Credit monitoring won’t affect your credit scores.
What services are being provided by Experian’s credit monitoring?
You'll have access to the following features once you enroll in Experian IdentityWorks:
- Experian credit report at signup: See what information is associated with your credit file. Daily credit reports are available for online members only.1
- Credit Monitoring: Actively monitors Experian file for indicators of fraud.
- Identity Restoration: Identity Restoration agents are immediately available to help you address credit and non-credit related fraud.
- Experian IdentityWorks ExtendCARE™: You receive the same high-level of Identity Restoration support even after your Experian IdentityWorks membership has expired.
- Up to $1 Million Identity Theft Insurance: Provides coverage for certain costs and unauthorized electronic fund transfers.2
What happens after the two-year credit monitoring provided?
The Experian membership ends automatically after the 24-month term expires. Individuals don’t need to take additional steps to cancel the membership. If you’d like to continue the service beyond that, you can purchase those services following that period.
Why are you providing monitoring only through Experian but not Equifax or TransUnion?
Lenders typically provide information to all three credit bureaus and there’s a great deal of overlap. If you’re a U.S. resident, you’re entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit reports, visit Annual Credit Report or call toll-free at (877) 322-8228.
What else can I do to protect my personal information?
In addition to enrolling in the credit monitoring services, we encourage you to take the following precautions:
- Remain vigilant to threats of identity theft or fraud by regularly reviewing and monitoring your accounts and credit history for signs of unauthorized transactions or activity.
- You can place a "fraud alert" on your credit file. Upon seeing a fraud alert displayed on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. You may contact any of the three nationwide credit bureaus — Equifax, Experian, and TransUnion — to request a fraud alert. Once you place an alert with one of the bureaus, that bureau will send your request to the other two.
- A security freeze will prohibit a credit reporting agency from releasing information in your credit report without written authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prevent the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Contact the three major credit bureaus directly to place a security freeze on your credit file.
Credit Bureau Contact Information
Consumer Fraud Division
P.O. Box 740256
Atlanta, GA 30374
Credit Fraud Center
P.O. Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016-2000
If I have a credit freeze, do I also need credit monitoring?
We’d still suggest taking advantage of the two years of free credit monitoring and identity restoration services through Experian that CalPERS is offering to all impacted retirees.
What if I already have a credit monitoring?
Unfortunately, you can't use our offer to extend your existing Experian enrollment. However, you can have more than one Experian monitoring account using a different email address. If you prefer to keep your paid membership, the additional membership provided by us at no additional cost to you will run in parallel. You’ll receive alerts for both membership accounts throughout the duration of the service.
How do I protect my beneficiaries?
We sent letters to individuals with impacted personal information on June 22. This includes retirees, spouses or children of members receiving ongoing monthly benefit payments from CalPERS, and inactive members who may have soon been eligible to receive benefit payments. Generally, spouses or children of members who receive monthly benefit payments do so because the member is deceased, and the spouse/child(ren) is the member’s survivor or beneficiary. If your beneficiaries don’t receive a monthly benefit payment, then only their name was in the file and their personal information wasn’t impacted.
Was my bank account information compromised?
No, the information involved in the breach didn’t include bank account information.
What steps have been taken and are planned to be taken to protect further against data breaches and to provide for other privacy protections?
We took immediate steps to enhance the security of our members’ benefits. This includes new protocols on the member benefits website, myCalPERS, as well as additional safeguards for those who use the member call center or visit any of our regional offices. We recognized the need to reduce reliance on Social Security Numbers (SSNs) as a primary identifier a long time ago, that’s why we utilize your CalPERS ID for verification to perform changes to your member data. Unfortunately, some government regulations require the use of SSNs for specific purposes, such as tax reporting. Many members are also accustomed to using their SSN for various purposes, such as opening bank accounts, applying for credit, and accessing government services.
We’ve also sent a reminder to the approximately 560,000 retirees whose email addresses we have on file to encourage them to sign up by the deadline of Sept. 30, 2023. This is an important reminder to make sure the contact information in your myCalPERS account is updated and current.
How do I confirm CalPERS has my email?
You can verify your contact information online through your myCalPERS account by logging in and selecting My Account, then Contact Information, or by calling 888 CalPERS (or 888-225-7377). We're available by phone Monday through Friday from 8 a.m. to 5 p.m.
Why didn’t CalPERS offer a solution such as LifeLock, Norton or Identity I.Q. to help protect me from this data breach?
Experian is one of the three credit bureaus in the U.S. LifeLock offers similar services but isn’t a credit bureau. Additionally, Experian agents have access to credit reports and can address issues while on the phone. LifeLock doesn’t have access to credit reports and must go through one of the three credit bureaus to do that.
It’s important to understand that identity theft protection services won’t prevent a bad actor from stealing an individual’s identity, placing it on the dark web, or opening new accounts in a person’s name. We all need to be proactive to protect our personal information. The breach notification letter we sent outlined many steps that one can take to minimize exposure to identity theft, including:
- Freezing your credit report: If you want to ensure that your credit file is inaccessible to bad actors and prevent new credit accounts from being opened in your name, you can freeze your credit report for free.
- Monitor your credit: Even if you freeze your credit, you should still regularly monitor your credit. Experian will monitor your credit report and notify you of any changes. If you identify an error, you should dispute errors immediately.
- Be cautious: Verify that advertisements, emails, and spam phone calls are legitimate before clicking or sharing any personal information. If you don’t know the company or sender of an email or who’s calling on the phone, that can be a red flag. Look up the information online and make sure you only go to sites that are “https” — with the “s” representing secure.
How do I get my activation code if I don’t have my June 22 letter?
The individual codes are specific to you. If you need your code, send an email to PBIquestions@calpers.ca.gov, along with your name and 10-digit CalPERS identification number, and we can send you the code specific to your name. Experian doesn’t have this code. Your activation code also serves as your personal identification number when you’re enrolling.
How can I confirm that I signed up?
We encourage you to call the dedicated helpline at (833) 919-4735, Monday through Friday from 6 a.m. to 8 p.m. PT, and on Saturday and Sunday, from 8 a.m. to 5 p.m. PT (excluding major holidays). Have the CalPERS engagement number B097509 and your personal activation code, which was in your June 22 letter, ready when calling.
Is there any way to opt out of paperless computer services?
We encourage you to sign up for or maintain direct deposit to ensure your monthly benefit payment is securely deposited at your financial institution, especially during times of natural disaster as we’ve seen recently in Lahaina, Maui and Southern California. We’ll be offering an automated phone system at the beginning of October so you can call in and get your deposit and deduction information. An application will be implemented in January 2024, to be able to access your warrant information even more easily in myCalPERS.
1Offline members will be eligible to call for additional reports quarterly after enrolling.