VRS retirees, beneficiaries and survivors are receiving letters from PBI, describing a data security incident that has affected millions of people and hundreds of organizations including VRS.
- The letters are legitimate and provide specific instructions for obtaining credit monitoring and additional services through Kroll, a global leader in risk mitigation and response.
- When you call the number provided in your letter, you will hear, "Welcome to the Longevity Holdings Inc. incident response line." Longevity Holdings is the parent company of PBI.
- The PBI/Kroll call center is experiencing heavy call volume and you may experience long wait times or, possibly, an error message.
- You may find it more expedient to visit https://enroll.krollmonitoring.com to activate your identity monitoring services. You will need the membership number provided in your letter.
- Also, be aware that you may receive multiple letters regarding this widespread, global security incident. MOVEit software is commonly used by PBI and other firms to transfer data. For example, you may receive security incident letters from Genworth Financial, TIAA, Fidelity and Schwab, to name a few additional companies affected.
- It’s important that you carefully follow the instructions in each letter you receive, as the phone number and details vary by letter. Be sure to note the time period given to enroll in the credit monitoring services.
Q. What Happened?
PBI Research Services (PBI) notified VRS about an information security incident that occurred at PBI. The incident involved PBI’s use of MOVEit Transfer software, a product used by thousands of organizations worldwide to transfer and exchange data. A vulnerability in the MOVEit software allowed an unauthorized third party to access or acquire data from PBI servers containing information from numerous organizations that were customers, including VRS.
VRS contracts with PBI to assist VRS in accurately making benefit payments. Specifically, VRS uses PBI’s services to identify deceased VRS members, so that VRS does not make overpayments or other errors in payment. PBI advised VRS that certain data files that VRS had shared with PBI for these purposes may have been subject to unauthorized access during PBI’s information security incident.
- The PBI information security incident did not impact VRS information technology systems or myVRS.
- The PBI incident was entirely outside of VRS.
- The incident impacts certain VRS retirees, beneficiaries and survivors.
PBI advised that it has taken the following steps to mitigate the information security incident:
- Reported the matter to law enforcement.
- Contained the incident.
- Eliminated the unauthorized access.
- Conducted an investigation.
- Began implementing additional security measures.
VRS notified the Office of the Attorney General of Virginia and law enforcement of the incident.
PBI is notifying the affected VRS participants by mail and has established a call center to address questions. PBI will also assist with the setup of complimentary credit monitoring and identity protection services through Kroll, a global leader in risk mitigation and response.
Q. Who does this impact and what data was involved?
This PBI incident impacts certain VRS retirees, beneficiaries and survivors whom PBI is notifying directly by mail. Active members could receive a letter from PBI if they receive a benefit as a survivor or beneficiary of a retiree who is deceased, or as part of a settlement of a former spouse’s retirement benefit under an approved domestic relations order. Additionally, active VRS members participating in long-term care insurance with Genworth Life Insurance Co. may receive a letter related to Genworth records impacted by the incident. Genworth is the insurer for the long-term care insurance program available to VRS members and retirees.
The VRS data that may have been accessed as a result of PBI’s information security incident includes the names, partial addresses (city, state, ZIP code), dates of birth, and Social Security numbers of certain VRS participants.
Q. Will this impact my monthly benefit payment?
No. VRS will continue to make benefit payments each month including direct deposits.
Q. Is my retirement benefit safe?
Yes. VRS systems were not impacted by the PBI information security incident.
Q. Was VRS the only organization impacted?
No. Many organizations were impacted by the PBI information security incident or otherwise by the MOVEit software vulnerability, including other retirement systems, governments, healthcare organizations, and private companies in the United States and around the world.
Q. What are the next steps?
PBI began mailing letters to those impacted on August 1.
PBI will provide a call center to address questions and also assist with the setup of complimentary credit monitoring and identity protection services to affected individuals through Kroll, which has extensive experience helping people who have sustained an unintentional exposure of confidential data.
There will be no cost for these services, but potentially affected individuals will need to complete an activation process to take advantage of these services. Information and activation instructions are contained in the letter PBI mailed to those affected.
Q. What other steps can you take to protect your identity?
We encourage you to take these precautions:
- Remain vigilant to threats of identity theft or fraud by regularly reviewing and monitoring your accounts and credit history for signs of unauthorized transactions or activity.
- You are entitled to receive a free credit report once every 12 months from each of the three major credit reporting agencies (Experian, Equifax and Transunion). For a free report, visit www.annualcreditreport.com or call toll-free at 877-322-8228.
- If you suspect you are a victim of identity theft or fraud, you should file a report with your local police, the Office of the Attorney General in your state, or the Federal Trade Commission. You also can access additional information online on how to protect your identity from the FTC.
See PBI’s responses to frequently asked questions.
If you are affected, please call the number provided in your notification letter.