Tennessee Consolidated Retirement System (TCRS) reports vendor data breach

The Tennessee Consolidated Retirement System (TCRS) has taken steps to notify retirees and their beneficiaries about a data security breach that occurred through MOVEit Transfer, a file transfer software used by Pension Benefits Information (PBI), a vendor contracted by TCRS.

PBI, a national company that verifies address and death records, is utilized by numerous companies, including TCRS, to validate retiree information and prevent overpayments. Unfortunately, unauthorized third parties gained access to retiree personal information submitted to PBI via MOVEit Transfer.

Upon being informed of the breach, TCRS immediately collaborated with PBI to identify the potentially compromised files and determine the resources that would be made available to those affected. On June 26, PBI confirmed to TCRS that files containing the personal information of 171,836 retired members and their beneficiaries had been accessed during the breach. The exposed information consisted of

• names,
• social security numbers,
• dates of birth,
• mailing addresses.

No banking or payment details were included in the accessed files, and the data breach did not affect active members of the retirement plan. TCRS initiated the process of directly notifying impacted individuals on June 28.

TCRS has confirmed that the data breach was limited to the information transmitted to PBI through MOVEit Transfer and did not impact their internal systems.

The retirement system has been diligently monitoring its online systems for any signs of suspicious activity and intends to inform credit agencies about the unauthorized access to members' information.

To assist retired members, PBI will provide free access to credit monitoring and identity restoration services offered by Kroll to all impacted members. PBI will directly communicate the necessary information on how to utilize these services to the impacted parties.