TIAA, a New York-based Fortune 500 financial services organization, provides insurance, retirement, and various financial services to both present and former staff of over 15,000 institutions. TIAA experienced a data breach on May 29 and 30 of 2023. The breach is one of many incidents across the globe in which attackers were able to seize data by exploiting a vulnerability in MOVEit Transfer software, a free command line FTP/secure FTP SSL (FTPS) client for Windows systems. The file transfer software was used by one of its vendors, Pension Benefit Information, LLC (“PBI”) to move customer data files between TIAA and its own servers.
On May 31, the company responsible for MOVEit publicized the software flaw. Following the disclosure, PBI launched an investigation that led to the discovery of the data breach. As a result, TIAA formally reported this third-party breach to the Attorney General of Maine on July 24 and began alerting affected customers about the unauthorized data access of their personal information. The information of some 2.4 million retirees, pension holders, and other financial customers was compromised. The compromised data included names, birth dates, addresses, and Social Security numbers (SSN).
Basis of the Case
A class action suit was filed against TIAA in the Southern District Court of New York on August 7. The complainant asserts that TIAA neglected to implement reasonable security measures and practices appropriate to the nature of the personal identifiable information (PII) they were maintaining. The lawsuit emphasizes TIAA’s alleged oversight in not encrypting this delicate data. As a result, class members reportedly faced setbacks such as the devaluation of their PII, wasted time and resources addressing the breach’s implications, increased unsolicited calls, texts, and emails, and potential further unauthorized data exposures if TIAA doesn’t rectify its security practices.
A separate suit has been filed against PBI involving another incident that involved the MOVEit exploit and compromised the data of some 1.2 million California retirees.
Call to Action
Reducing risk exposure of third-party cybersecurity exploits is crucial as organizations increasingly rely on external vendors, partners, and service providers. Here are some reasonable measures a company can take to mitigate third-party risk:
- Conduct vendor risk assessments before establishing or renewing a contract with a third-party provider. These assessments should be followed up by continual monitoring of their security posture during the life of the contract.
- Require a baseline of security requirements for all third parties that are comparable to the standards practiced by your own organization.
- Require that all data shared with third parties be encrypted both in transit and at rest.
- Enforce the principle of least privilege (PoLP) to ensure that third parties have limited and controlled access to your systems that is restricted to only what is necessary for the vendor to perform its service.
- Have a joint incident response plan (IRP) in place that outlines how both parties will respond to a cybersecurity incident such as a breach, and the list of responsibilities and remediation steps required.
- Require that all contracted third parties carry an active cybersecurity insurance policy that covers them in the event of an incident.