In undertaking this responsibility, the suit continues, “TIAA and PBI were both obligated to only hire vendors who maintain adequate data security practices and PSC is obligated to ensure than their file transfer systems — like MOVEit — are secure.”
However, “due to a significant and troubling vulnerability in PSC’s MOVEit software, the PII entrusted by TIAA to PBI by over 2,300,000 retirees, pension holders, and other financial customers was compromised,” the suit states.
According to the Notice of Data Breach received by Lopez, which was received not from TIAA but from PBI, on or around May 31, 2023, “PSC’s MOVEit software disclosed a major vulnerability that was exploited by an unauthorized cybercriminal,” the suit states.
“Over the course of investigating, PBI, who uses PSC in order to transfer files of TIAA’s clients using the MOVEit software system, discovered that, between May 29, 2023, and May 30, 2023, third-party cybercriminals not only exploited the MOVEit software but downloaded and exported the data of Plaintiff and Class members,” the suit explains.
The data breach “was likely perpetrated by a well-known cybergang called Clop,” the suit states. “The modus operandi of a cybergang like Clop is to offer for sale (on the dark web) unencrypted, unredacted private information like the PII of Plaintiff and the Class members.”
Due to the hack, David and the other class members “are in imminent harm of identity theft and other identity-related crimes,” the suit states.
“To compound matters,” the suit continues, TIAA’s conduct following the breach “has been woefully insufficient” in the following areas:
- TIAA did not inform the plaintiff directly of the harm he suffered due to the breach;
- PBI did not disclose the data breach to those affected until nearly six weeks after the breach was first discovered;
- the Notice of Data Breach did not disclose the specifics of the attack or any measures taken to ensure the protection of PII; and
- TIAA did not offer remediation. PBI offered “a meager 24 months of identity theft protection for victims of the Data Breach,” according to the suit.