T. Rowe Price, New York Life Caught Up in Data Breach Affecting 6M Customers

A data breach that hit technology platform Infosys McCamish Systems last year affected over 6 million customers at several financial services firms, including T. Rowe Price Retirement Plan Services, according to filings with the Maine attorney general's office.

A Sept. 9 report from IMS updates earlier notices to the Maine attorney general, adding the T. Rowe Price business and New York Life Group Benefits Solutions to the list of affected financial services companies.

Principal Life Insurance Co., Prudential Insurance Co. of America and Oceanview Life and Annuity Co. were cited in earlier disclosures starting in June.

A T. Rowe Price spokesperson provided a statement to ThinkAdvisor by email Tuesday afternoon, noting IMS reported in November 2023 that certain systems were encrypted with ransomware. IMS engaged a vendor to identify affected individuals.

In late June, IMS made regulatory filings indicating a total impact of more than 6 million people, and informed T. Rowe Price Retirement Plan Services about a subset of fewer than 10,000 affected individuals associated with nonqualified plans record-kept by T. Rowe Price, the investment firm said.

T. Rowe Price reviewed the data, communicated with its affected nonqualified plan clients, and offered them the opportunity to opt in to mailings from IMS to consumers, the company said, adding that these mailings were sent on August 23.

"T. Rowe Price's systems were not compromised by the incident at IMS and no data was exfiltrated from T. Rowe Price systems. IMS provides recordkeeping support to T. Rowe Price for nonqualified plans only and there was no impact to the services T. Rowe Price provides to qualified and governmental retirement plans," the spokesperson said.

Broadly, IMS has informed consumers affected by the breach that on Nov. 2, the company became aware about the ransomware attack. The technology platform, which serves financial companies, started an investigation and notified law enforcement; it said the incident has since been contained and remediated.

"The in-depth cyber forensic investigation determined that unauthorized activity occurred between October 29, 2023, and November 2, 2023. Through the investigation, it was also determined that data was subject to unauthorized access and acquisition," IMS wrote to consumers.

IMS said it conducted a thorough and time-intensive review of the data at issue, with the assistance of third-party experts, to identify the personal information subject to unauthorized access.

Depending on the individual, the information exposed may include Social Security number, birth date, medical treatment/record information, biometric data, email address and password, username and password, driver's license number or state ID number, financial account information, payment card information, passport number, tribal ID number and U.S. military ID number, according to an IMS notice to the Maine office.

"While we are unaware of any instances since the incident occurred in which the personal information involved has been fraudulently used, we are providing you with information about the incident and steps you can take to protect your personal information, should you feel it necessary to do so," the IMS letter to consumers says.

Early this year, Bank of America offered identity theft protection to over 57,000 customers in deferred compensation plans that it services, citing a Nov. 3 cybersecurity event at IMS, according to a filing with the Maine AG's office.

Credit: Sergey Nivens/Adobe Stock

T. Rowe Price, New York Life Caught Up in Data Breach Affecting 6M Customers

Resource Center

Trending Stories

T. Rowe Price, New York Life Caught Up in Data Breach Affecting 6M Customers

Related Stories

Resource Center

Trending Stories