Here's a statement of the obvious: The opinions expressed here are those of the participants, not those of the Mutual Fund Observer. We cannot vouch for the accuracy or appropriateness of any of it, though we do encourage civility and good humor.
MOVEit data transfer is used institutionally & they found that it had a hackable access/trap door that some bad people used to access data being transferred. This breach has affected many firms - banks, brokers, several government organizations (including Social Security), but I haven't heard anything from anyone else EXCEPT from PBI on behalf of TIAA.
We got letters from PBI (with ID numbers) about the TIAA breach & we both signed up with Kroll for 2 years of free credit monitoring. Signup requires providing DOB, Social Security number, etc & answering a short Q&A based on some personal credit history - the most common answer was N/A but not for all.
Kroll is the old Duff & Phelps. The old Duff & Phelps bought Kroll & renamed the whole thing Kroll. So, it is a very old company that you may not have heard of (1932- ).
Has anyone gotten info/letters on this breach from other institutions?
Those with access to M* or Facebook may also follow details there.
I see I have a letter coming this afternoon from PBI. Since over 500 organizations are affected, it could be someone else but might be TIAA. I withdrew my last penny from TIAA in 2016. If mine is also TIAA then they make your identity information eternally vulnerable even after your exit. Since my husband just died and, apparently, PBI processes death verifications for many organizations, it could be any company. As of the end of July, this cyber security dive site reports:
July 26 Nearly 500 organizations and almost 24 million individuals have been exposed by the mass exploit of the MOVEit vulnerability, according to Emsisoft.
The victim count continues to rise from a steady stream of disclosures and more organizations listed on Clop’s leak site. One-quarter of the 286 public disclosures made to date specify the number of individuals impacted, according to Callow.
Clop has listed 206 organizations on its leak site, which means 2 in 5 victims have yet to confirm a compromise via public disclosure notices, Callow said. At least 136 organizations that don’t use MOVEit directly have been exposed via third-party vendors.
The prolific threat actor has leaked data across the dark and clear web it claims to have stolen from multiple companies. Security researchers said threat actors sometimes leak data on the clear web to post the data more quickly and increase pressure on their victims.
Based on the disclosures made to date and the average number of individuals compromised per disclosure, Emsisoft estimates almost 130 million people have been exposed by this widespread attack. The number of victims continues to grow.
@catch22 No, I looked briefly and, although some search hits claimed to have lists, I didn't see any that were complete. I didn't try very hard. The best I found was hard to use: MOVEit hack victim list
@Anna A great list. Appears that daily updates will take place, too. I'm passing this site to a lot of folks. We have one notify about a partial breach from an insurance company, but no notify about our data, at this point. Thank you.
Well, the envelope may have been in my 7AM USPSInformedDelivery email but it did not make it to my mailbox. The regular man has often been replaced with a substitute and a lot of mistaken deliveries have occurred lately. If so, I hope the person who received it will put it back in the system rather than toss it. The envelope just has my address and the logo "PBI >" on it so it looks a bit like junk mail without a real return address on it. Otherwise, I will never know which account I was being warned about. I notified the post office via the Internet non-delivery check box, but I doubt that does anything.
USPS Informed Delivery is usually the same day, or the next day, or after 7-10 days (if mail misdelivered & hopefully returned to Post Office/mail-person).
Complaint is useless. I have complained about delated deliveries of Certified mail (not cheap) and even for those, there isn't any response. In one case, it was delivered very late, but I also got a response from the Post Office, sorry, we cannot do anything.
If you really want something tracked, send as Registered and/or Insured.
USPS has Louis DeJoy to thank. A total cluster-flop. I'm dealing with a big unauthorized fraudulent charge on my credit card. Wonder if it's connected to the breach? Never have had a TIAA account.
I wish there was a way to uncover all the scumbags and just throw them to the bottom of the sea.
Facebook is mentioned. I’ve never joined. Yesterday I found their marketplace extension where individual sellers in your locale can advertise. Some items looked of interest. But Geez. No addresses or phone numbers to the sellers. Just a link that requires you to open a farcebook account to even contact or locate the seller. A far cry from the old classified ads that used to appear in the (now extinct) local print newspaper. Farcebook is too “sticky.” My anti-tracking systems have detected them trying to follow me around the internet.
My wife and I just signed up at Kroll the monitoring service pbi uses. The letter had a Membership number that you need to sign up, which was in the letter.
I don't know if you could get a response from either pbi or Kroll without it, but Kroll has all the information you would expect already, DOB name address etc so if they are willing to help they have an account in your name already.
To verify identity they then ask you about your cars, mortgages etc
BTW We have been victims of many many hacks and possible data breaches over the years ( one year I counted five) and nothing ever came of it. Taht is not to say it couldn't, but these Monitoring services don't really do much.
Your best bet, I think, is the freeze your credit report access at all there credit reporting bureaus.
Unless you have to increase your credit line on a card, or take out a loan, it is seamless and does not interfere with anything.
Yes, after my husband died, I had to report it to all the credit agencies. Supposedly, all you need to do is report it to one and ask that one to report it to the others. So, I sent a letter and the relevant documentation to TransUnion with the request that they report it to the others. I also requested a final credit report for him. They said they reported his death to Experian and Equifax but not the request for a final report. I requested the final reports from the other two and they would not give them to me without jumping some hoops. When I asked that they verify that TransUnion had reported his death to them, one didn't answer and the other said he was sure that if I asked that it be done, it must have been, but he wouldn't check for me. I gave up.
Like you I am a member of numerous breaches, including a couple of federal government ones and State of Delaware ones. I have been on many watches and will join another if invited. Honestly, I find these companies provide more information on my neighborhood predators than on my ID or financial stuff. I hate it because each time it is a different company, and the company wants all my personal and financial information. Which, to me, just creates a centralized list of all the information on me. What a break-in that would be if all MOVEIT personal info were breached!
@ Anna I am sorry your husband passed. It seems most of the posters here seem to be men, and women have less interest in trading/investing.
My wife is similar and rivals Buffett, as she would never sell anything, (including CSCO in the 80s in 2000!)
While I am healthy and only recently retired, Charles Lynn Boylin's posts about setting up a simple "Glide path" for his wife if he gets hit by a bus is a useful reminder that we need to think ahead.
We have had our data hacked many times. Three times at Yale New Haven Hospital alone; twice by BC/BS. OPM from USGOV. A hard disc with all out unencrypted account information from a bank we used was "lost" in the back seat of a taxicab.
TIAA hired an entity called PBI, a vendor that provides search tools to financial services institutions such as TIAA, the suit states. PBI, in turn, hired PSC, a software company, for the storage and transfer of TIAA’s client data entrusted to PBI.
PBI uses PSC’s MOVEit file transfer services for a variety of purposes, including the transfer of Plaintiff’s and Class members’ personal data.
PBI tracks down people & verifies if they are dead or alive without being obvious about it. So, it isn't a matter of - why they didn't just call me?
You may have heard of stories about people defrauding insurance & annuity co & retirement plans by continuing to collect payments when the legal recipient is dead.
A reverse problem is when these co don't determine when people have died. Of course, death benefits/claims must be initiated by executors and/or beneficiaries (who may not be aware in some cases).
Well now I know. The letter says Corebridge Financial (formerly, in my case, AGI VALIC) is the source of the data breach that includes me. This is an old 403b type plan from my days at University of Texas. The letter seems to be the same as others have described with the same credit watch and advice. Thanks all for your input.
Thank you all, for the PBI description. I did find this in a search, but didn't readily connect the dots as to the function of the company and its place in the data stream of information. Per @Anna and apparent old file data still stored.....but, breached, and related to the early days of data: From a Moody Blues lyric, the song; 'In the Beginning', 1969:
I've miles And miles Of files Pretty files of your forefather's fruit And now to suit our Great computer, You're magnetic ink.
@catch +1 Yes, she was so young and hot in those days. @sm3 Austin used to be an oasis, different from the rest of the east Texas flavor. (El Paso was my favorite, however. It's changed more, I hear.)
@Anna and @sma3 Dinging the thread a bit per Austin. I visited U-T friends there in 1972 for a few weeks, and Austin was an amazing city. I do believe I wouldn't want to live there now at my/our ages. In hindsight, if one had the monies and foresight at the time; purchasing 40 acres of land here and there around the city limits at that time would have provided for a handsome retirement nest egg.
My father and his sisters kicked themselves because starting in 1965, there was at least one cousin at UT for 20 plus years, and then my sister was teaching school. Then in the 2000's the grandkids started at UT. So far there have been four of them.
If they had bought a house large enough for all the cousins ( there were never more than 3 or 4 at a time) in the 60's they would have made out like bandits.
My sister's husband paid $15000 for five acres of land outside of Wimberly ( 45 mins south) in the 1980s. He built his house over time but had a small mortgage for AC and a rain water collecting system. It is assessed at $800,000 now
A poster at M* noted that the free credit monitoring offered by Kroll/PBI/TIAA is for 1 credit bureau only. So, I just checked mine by logging into Kroll & under "Services", it says Experian only.
Kroll also offers 3-bureau credit monitoring for-pay.
I don't know if you could get a response from either pbi or Kroll without [a letter], but Kroll has all the information you would expect already, DOB name address etc
FWIW, from TIAA's FAQ on the data breach:
Can I find out if I am affected without waiting for a letter?
Yes, you can contact the call center, which is being managed by Kroll, at 1-866-373-7560. The call center is open Monday through Friday from 9 a.m. to 6:30 p.m. Eastern time (excluding U.S. holidays).
A poster at M* noted that the free credit monitoring offered by Kroll/PBI/TIAA is for 1 credit bureau only. So, I just checked mine by logging into Kroll & under "Services", it says Experian only.
Aside from a self-destruct date (two years of service), I wonder if there is a difference between this and the Experian-only free monitoring service that AAA provides to members?
@Anna Hook 'em Horns!!! I graduated UT in 73, then left Texas after being born and raised there I don't recognize the place now! Austin is a nightmare
Pretty much the same story here; graduated 1971, took off for the West afterwards. I look back on Austin then as an idyllic place to have lived as an undergrad.
A friend, burned out of her home between L.A. and S.B. in one of the CA wildfires, escaped with only the cat and a small pack, moved to Austin ~ 2019 to be close to relatives. When I've told her what Austintatious was like when I lived there, she hardly believes me. (Onward through the fog!)
More on Kroll a "cyber security firm" that has itself gotten hacked
Krebs on Security has posted a new item.
Security consulting giant Kroll disclosed today that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms that are relying on Kroll services in their ongoing bankruptcy proceedings. And there are indications that fraudsters may already be exploiting the stolen data in phishing attacks.
Cryptocurrency lender BlockFi and the now-collapsed crypto trading platform FTX each disclosed data breaches this week thanks to a recent SIM-swapping attack targeting an employee of Kroll -- the company handling both firms' bankruptcy restructuring.
I would highly recommend reading Krebs. He knows what he is talking about and has lots of useful information. This post details how a SIM attack works and recommends eliminating the 2factor authentication feature on brokerage accounts because it also makes you vulnerable for password theft
Comments
Regards,
Catch
I am glad I put credit freezes on ALL of our families credit accounts.
Is PIA at time but worth piece of mind.
Won't stop them if they got login credentials but most of time it is SSN addresses etc
MOVEit hack victim list
Complaint is useless. I have complained about delated deliveries of Certified mail (not cheap) and even for those, there isn't any response. In one case, it was delivered very late, but I also got a response from the Post Office, sorry, we cannot do anything.
If you really want something tracked, send as Registered and/or Insured.
I wish there was a way to uncover all the scumbags and just throw them to the bottom of the sea.
What’s the world coming to?
Fidelity is listed but link is only to Maine retirement Plan
Schwab only through TD Ameritrade
My wife and I just signed up at Kroll the monitoring service pbi uses. The letter had a Membership number that you need to sign up, which was in the letter.
I don't know if you could get a response from either pbi or Kroll without it, but Kroll has all the information you would expect already, DOB name address etc so if they are willing to help they have an account in your name already.
To verify identity they then ask you about your cars, mortgages etc
BTW We have been victims of many many hacks and possible data breaches over the years ( one year I counted five) and nothing ever came of it. Taht is not to say it couldn't, but these Monitoring services don't really do much.
Your best bet, I think, is the freeze your credit report access at all there credit reporting bureaus.
Unless you have to increase your credit line on a card, or take out a loan, it is seamless and does not interfere with anything.
It is kinda a pain to set up though
Like you I am a member of numerous breaches, including a couple of federal government ones and State of Delaware ones. I have been on many watches and will join another if invited. Honestly, I find these companies provide more information on my neighborhood predators than on my ID or financial stuff. I hate it because each time it is a different company, and the company wants all my personal and financial information. Which, to me, just creates a centralized list of all the information on me. What a break-in that would be if all MOVEIT personal info were breached!
Thanks.
I am sorry your husband passed. It seems most of the posters here seem to be men, and women have less interest in trading/investing.
My wife is similar and rivals Buffett, as she would never sell anything, (including CSCO in the 80s in 2000!)
While I am healthy and only recently retired, Charles Lynn Boylin's posts about setting up a simple "Glide path" for his wife if he gets hit by a bus is a useful reminder that we need to think ahead.
We have had our data hacked many times. Three times at Yale New Haven Hospital alone; twice by BC/BS. OPM from USGOV. A hard disc with all out unencrypted account information from a bank we used was "lost" in the back seat of a taxicab.
The most egregious was the Equifax hack.
It goes on and on.
@catch22 see link below
TIAA hired an entity called PBI, a vendor that provides search tools to financial services institutions such as TIAA, the suit states. PBI, in turn, hired PSC, a software company, for the storage and transfer of TIAA’s client data entrusted to PBI.
PBI uses PSC’s MOVEit file transfer services for a variety of purposes, including the transfer of Plaintiff’s and Class members’ personal data.
https://www.thinkadvisor.com/2023/08/08/tiaa-hit-with-class-action-suit-over-moveit-hack/
You may have heard of stories about people defrauding insurance & annuity co & retirement plans by continuing to collect payments when the legal recipient is dead.
A reverse problem is when these co don't determine when people have died. Of course, death benefits/claims must be initiated by executors and/or beneficiaries (who may not be aware in some cases).
This requires specialized knowledge & databases.
https://www.pbinfo.com/
Per @Anna and apparent old file data still stored.....but, breached, and related to the early days of data:
From a Moody Blues lyric, the song; 'In the Beginning', 1969:
I've miles
And miles
Of files
Pretty files of your forefather's fruit
And now to suit our
Great computer,
You're magnetic ink.
Tape files, the early days, eh Anna?
Hook 'em Horns!!!
I graduated UT in 73, then left Texas after being born and raised there
I don't recognize the place now! Austin is a nightmare
@sm3
My father and his sisters kicked themselves because starting in 1965, there was at least one cousin at UT for 20 plus years, and then my sister was teaching school. Then in the 2000's the grandkids started at UT. So far there have been four of them.
If they had bought a house large enough for all the cousins ( there were never more than 3 or 4 at a time) in the 60's they would have made out like bandits.
My sister's husband paid $15000 for five acres of land outside of Wimberly ( 45 mins south) in the 1980s. He built his house over time but had a small mortgage for AC and a rain water collecting system. It is assessed at $800,000 now
Kroll also offers 3-bureau credit monitoring for-pay.
Disappointing.
FWIW, from TIAA's FAQ on the data breach: https://www.tiaa.org/public/land/data-security-faqs
Here's a template of the letter that is sent to people affected by the TIAA breach (fill in name, etc.)
https://www.databreaches.net/teachers-insurance-and-annuity-association-of-america-notifying-2630717-after-pbi-alerts-them-to-moveit-breach/
https://www.aaa.com/experianidtheft/
So, Kroll covers the 3rd, Experian, for me.
If you have other credit monitoring, then the Kroll offer via PBI is redundant.
A friend, burned out of her home between L.A. and S.B. in one of the CA wildfires, escaped with only the cat and a small pack, moved to Austin ~ 2019 to be close to relatives. When I've told her what Austintatious was like when I lived there, she hardly believes me. (Onward through the fog!)
Krebs on Security has posted a new item.
Security consulting giant Kroll disclosed today that a SIM-swapping attack
against one of its employees led to the theft of user information for multiple
cryptocurrency platforms that are relying on Kroll services in their ongoing
bankruptcy proceedings. And there are indications that fraudsters may already
be exploiting the stolen data in phishing attacks.
Cryptocurrency lender BlockFi and the now-collapsed crypto trading platform
FTX each disclosed data breaches this week thanks to a recent SIM-swapping
attack targeting an employee of Kroll -- the company handling both firms'
bankruptcy restructuring.
https://krebsonsecurity.com/2023/08/kroll-employee-sim-swapped-for-crypto-investor-data/
I would highly recommend reading Krebs. He knows what he is talking about and has lots of useful information. This post details how a SIM attack works and recommends eliminating the 2factor authentication feature on brokerage accounts because it also makes you vulnerable for password theft