TIAA Retail Customer Data Exposed in Vendor Breach

Personal information for almost 9,000 retail TIAA and TIAA-CREF Life Insurance customers was exposed in a hack that appears related to a breach that caught other financial services firms, according to a disclosure filed Friday with the Maine attorney general’s office.

A TIAA support services vendor, Infosys McCamish Systems, was breached between Oct. 29 and Nov. 2, when IMS discovered the hack, according to a letter from TIAA to affected customers.

When IMS became aware of the incident, it retained a third-party cybersecurity expert to investigate and assist with containment, the letter reported. “IMS implemented additional security controls and restored full services in December and has found no evidence of continued threat actor access in its environment.”

Neither TIAA nor IMS is aware of any fraudulent use of the hacked personal information, but IMS has secured free security monitoring for customers for two years, the letter says. The services include identity theft restoration, $1 million in identity fraud loss reimbursement and fraud consultation.

Earlier in September, IMS told the Maine attorney general that a cyberattack last year had affected data for over 6 million customers at several financial services firms, including T. Rowe Price Retirement Plan Services and New York Life Group Benefits Solutions.

Principal Life Insurance Co., Prudential Insurance Co. of America and Oceanview Life and Annuity Co. were cited in earlier IMS disclosures starting in June.

That breach, which IMS described as a ransomware attack, covered the same dates last year. TIAA’s letter to customers, however, didn’t reference ransomware.

TIAA said in a statement emailed Monday that IMS notified the firm that some TIAA and TIAA Life retail customers, not institutional plan participants, were affected during McCamish’s November 2023 cybersecurity incident.

“There was no involvement whatsoever of TIAA’s systems or recordkeeping platform,”  the financial firm said. “We have alerted those affected customers and IMS has secured Kroll’s services to provide identity monitoring services at no cost to them. Data security remains a top priority at TIAA.”

IMS didn’t immediately respond to an email Monday seeking information on the TIAA data exposure.

Pensions & Investments reported on the TIAA data exposure earlier Monday.

Image: Shutterstock