Editorial: Virginia Retirement System hack demands transparency and accountability

Through no fault of their own, thousands of Virginians are learning that their names, social security numbers, birthdates and partial addresses may have been exposed on the internet as part of a massive data breach affecting millions of Americans.

Most of those whose personal information may have been compromised are retired public employees who receive pension benefits through the Virginia Retirement System. VRS initially told Channel 8 News in Richmond that active members of the retirement system were not affected by the hack, but later backed away from that blanket statement. The hack compromised personal information of some survivors and beneficiaries of retirees, a group that includes some current teachers and other state employees. As many as 230,000 people may be affected.

Retirement systems in other states have also been targeted by the hackers, as have other public pension and private-sector retirement plans, state and federal agencies. California’s public employee retirement system, the largest in the nation, announced in June that hackers had stolen confidential data of about 769,000 retirees and beneficiaries.

How did this happen? After all, those in the commonwealth’s retirement system don’t have a choice about giving their personal information to VRS. Was VRS careless with the data in its files? The answer is complicated.

Like many other retirement systems, VRS contracts with a company called Pension Benefits Information to verify information about retirees and guard against overpayment. PBI, like many organizations around the world, uses the MOVEit Transfer software to share data, supposedly securely.

In May, a Russian ransomware group calling itself Clop apparently discovered a flaw in the MOVEit Transfer software and exploited it to gain access to a great deal of confidential personal information before the flaw was discovered and repaired.

Clop and similar cyber criminals steal data and then demand ransom in exchange for not making the information public. Clop wasn’t zeroing in on retired Virginia public employees, but all those whose personal details are now in the hands of unscrupulous crooks should be concerned.

It’s a fact of 21st century life: As we increasingly rely on complex technology and allow our personal data to be stored somewhere in cyberspace, our vital information becomes vulnerable to all sorts of misuse.

Those to whom we entrust that data, often without any real choice, must do a better job of protecting it.

PBI has offered Virginians whose data was breached 12 months of free credit monitoring and help with “identity restoration” — dealing with disputes over financial matters and other problems that might be related to the data breach. That’s a good first step.

The internet offers plenty of suggestions in addition to credit monitoring for those whose personal information might have been compromised: keep a close eye on your credit cards and bank account; change passwords and login information, including multifactor authentication; watch the bills that come in and promptly dispute any that you don’t recognize.

The advice is sound, but following it can be time consuming. There’s also the fact that many retirees, especially older ones whose jobs didn’t involve much technology, may not have the necessary skills or equipment.

Legal experts are already debating who is ultimately responsible and who can be sued over breached data. Is VRS legally responsible for the breach, or does the responsibility all fall on PBI, or on Progress Software, maker of MOVEit Transfer?

VRS should not wait for the experts and the courts to resolve those disputes.

VRS needs to be open and forthright about what happened and what the consequences could be. It should work to keep those whose data was compromised fully informed about what’s going on and what problems might arise in the months to come.

While damage control proceeds, VRS and all Virginia’s agencies should redouble efforts toward strong and effective cyber security. That must include doing more to make sure that the contractors and vendors state agencies rely on also work vigilantly to protect the sensitive data citizens entrust to them.