NHRS Annuitant Data Exposed by Third-party Vendor

PBI is notifying retirees and beneficiaries impacted by MOVEit data breach by mail; No NHRS computer system or networks were compromised

Aug 08, 2023
  • Retirees

For Immediate Release: August 8, 2023
Contact: cyber-response@nhrs.org

CONCORD, NH – The New Hampshire Retirement System (NHRS) was recently notified of a cybersecurity incident involving one of our service providers, PBI Research Services (PBI). PBI provides audit and address research services for many types of companies, such as insurers, pension funds, and other such organizations.

PBI recently informed NHRS that an application it uses for data transfers, called MOVEit, contained a vulnerability that potentially enabled unauthorized individuals to access data handled using MOVEit.

Because PBI utilized MOVEit to handle NHRS data, PBI notified us, and we are alerting our annuitants about this incident. Because PBI provided audit research services to NHRS, PBI has data that includes the name, date of birth, zip code, and Social Security number of NHRS retirees and beneficiaries in receipt of a monthly benefit.

If an NHRS retiree or beneficiary was affected in this incident, that individual will receive a notification letter from PBI within the next few weeks. When PBI sends the notification letter to the affected NHRS retirees and beneficiaries, it will contain enrollment and contact information for those individuals to enroll in free credit monitoring and identity restoration services through Kroll, a leading provider of cyber security services. The letter will provide instructions on how to sign up for these services, along with a unique membership number. (Note: All letters will be dated August 3.)

Please note that this incident involved PBI’s and MOVEit’s systems, not NHRS’ systems. No system or network of NHRS was compromised or otherwise impacted in this incident.

The MOVEit compromise has been widely reported in the news and has affected a large number of organizations in a wide variety of different industries, including other state pension plans. Since discovering this incident, MOVEit deployed a patch to eliminate the vulnerability.

If you receive a letter from PBI, NHRS strongly encourages you to enroll in the free credit and identity protection services offered. Eligible retirees and beneficiaries have until November 1, 2023, to enroll.

NHRS respects the privacy and security of all our retirees, beneficiaries, and community members. We therefore are taking this matter seriously. We regret that our service provider PBI was involved in the MOVEit incident and, again, strongly encourage you to enroll in the free credit and identity protection services if you receive a notification letter from PBI. Also, please feel free to contact NHRS at cyber-response@nhrs.org if you have any questions about this matter.

About NHRS

NHRS provides retirement, disability, and death benefits to its eligible members and their beneficiaries.  The State of New Hampshire and more than 460 local government employers participate in NHRS for their employees, teachers, firefighters, and police officers. NHRS has approximately 48,500 active members and 42,000 benefit recipients. NHRS administers a defined benefit plan qualified as a tax-exempt entity under sections 401(a) and 501(a) of the Internal Revenue Code.