This page contains information regarding the recent data security incident involving Pension Benefit Information, LLC (“PBI”), a vendor to TIAA, our retirement plan record-keeper. Please note that the information systems at Lehigh University were not involved or impacted by this breach.
The incident was part of a global data security incident involving MOVEit, a type of file transfer software used by thousands of organizations around the globe, including PBI. As has been reported in the press, this MOVEit incident has impacted state and federal government agencies, financial services firms, pension funds, and many other types of companies and not-for-profit organizations. This incident has resulted in access to personal information of a very large number of people across the country.
If you have been impacted: PBI is sending letters to impacted individuals by US mail that will provide detailed information about the incident, instructions, and a unique code to reference when registering for the free credit monitoring. You may have already received this letter. Impacted individuals will receive two years of credit monitoring at no cost from PBI. This coverage will be supplied through the efforts of Kroll, LLC, a cybersecurity consulting firm that, among other things, specializes in incident response services and related notifications. The letter also includes a telephone number you may call to learn more or ask questions about the credit monitoring service. We are reaching out to you so that you will be able to watch for the letter and will know that it is a legitimate communication.
In the meantime, you may want to consider placing a fraud alert or a freeze on credit reports. Information on how to contact the credit reporting agencies is included with this letter. In addition, it is always a good idea to closely monitor financial accounts and ensure that each of your online accounts has a unique, complex password.
For more information, please refer to the FAQs below. If you have questions, please reach out to us at inben@lehigh.edu.
Steps You Can Take to Protect Your Personal Information
Review Your Account Statements and Notify Law Enforcement of Suspicious Activity: As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements and credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You also should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, your state attorney general, and/or the Federal Trade Commission (FTC).
Copy of Credit Report: You may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting http://www.annualcreditreport.com/, calling toll-free 1-877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You also can contact one of the following three national credit reporting agencies:
Equifax
P.O. Box 105788
Atlanta, GA 30348
1-888-378-4329
Experian
P.O. Box 9532
Allen, TX 75013
1-800-831-5614
TransUnion
P.O. Box 1000
Chester, PA 19016
1-800-916-8800
Fraud Alert: You may want to consider placing a fraud alert on your credit report. An initial fraud alert is free and will stay on your credit file for at least one year. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above. Additional information is available at http://www.annualcreditreport.com.
Security Freeze: You have the right to put a security freeze on your credit file for up to one year at no cost. This will prevent new credit from being opened in your name without the use of a PIN number that is issued to you when you initiate the freeze. A security freeze is designed to prevent potential creditors from accessing your credit report without your consent. As a result, using a security freeze may interfere with or delay your ability to obtain credit. You must separately place a security freeze on your credit file with each credit reporting agency. In order to place a security freeze, you may be required to provide the consumer reporting agency with information that identifies you including your full name, Social Security number, date of birth, current and previous addresses, a copy of your state-issued identification card, and a recent utility bill, bank statement or insurance statement.
Frequently Asked Questions
Lehigh University’s retirement plan record-keeper, Teachers Insurance and Annuity Association of America (“TIAA”) uses Pension Benefit Information, LLC (“PBI”), a vendor who specializes in identifying participants, beneficiaries, or annuitants who might have passed away. On or around May 31, 2023, Progress Software, the provider of MOVEit Transfer software, disclosed a vulnerability in their software that had been exploited by an unauthorized third party. PBI utilizes MOVEit in the regular course of its business operations to securely transfer files.
TIAA is Lehigh University’s retirement plan record-keeper. TIAA uses PBI as a vendor to identify participants, beneficiaries, or annuitants who might have passed away.
All Lehigh community members with a TIAA retirement account must share their data with TIAA to establish and maintain accounts. As TIAA is a financial institution, it requires specific personal data to open and maintain investment accounts.
PBI discovered this vulnerability on May 31, 2023. PBI promptly launched an investigation into the nature and scope of the vulnerability and its impact on PBI systems. Through the investigation, PBI learned that a third party accessed one of its servers on May 29, 2023, and May 30, 2023, and downloaded data.
PBI then notified law enforcement and conducted a manual review of its records to confirm the identities of individuals potentially affected by this event. After PBI completed its review, it confirmed to TIAA on June 3, 2023, the specific compromised files. TIAA then reconciled those files against their own records and subsequently notified Lehigh University in mid-July.
With any such event, it takes time to gather the relevant information, identify the affected individuals, hold the necessary internal discussions, and make the appropriate decisions to identify and implement the assistance services that are being offered. Lehigh University, after learning of the incident, was diligent in its coordination with TIAA/PBI to ensure the appropriate protection services would be provided to the correct individuals.
Based on the investigation of the situation to date, the potentially compromised information consists of first and last name, date of birth, address, gender, and Social Security number.
This information isn’t currently available. However, all individuals with identifiable address information whose personal information may have been impacted have been notified.
Upon learning about this vulnerability, PBI took steps to patch its servers, investigate the incident, assess the security of its systems, and notify potentially affected clients. While PBI is unaware of any identity theft or fraud as a result of this event, it is offering impacted individuals access to 24 months of complimentary credit monitoring and identity restoration services through Kroll, LLC, a leading identity recovery services company.
PBI has sent you a letter by mail that will provide information about the incident, instructions, and a unique code to reference when registering for the free credit monitoring. The letter also will include a telephone number you may call to learn more or ask questions about the credit monitoring service.
Please contact 866-373-7560, Monday through Friday from 9 a.m. to 6:30 p.m. Eastern time (excluding U.S. holidays), for additional assistance.
Lehigh University recommends that individuals consider placing a fraud alert or a freeze on credit reports. A fraud alert will not stop you from using your credit cards or other accounts. In addition, it is always a good idea to closely monitor financial accounts and ensure that each of your online accounts has a unique, complex password. For more information refer to page two of the letter you received from Lehigh University.
Call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will require the information it contains to absolve you of fraudulent debts. You may also file a complaint with the FTC at www.ftc.gov/idtheft or reach the FTC at 1-877-IDTHEFT (1-877-438-4338) or 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations.
Genworth Long Term Care Insurance (a provider of a voluntary benefit to Lehigh employees) was also impacted by the breach. If you are a Genworth insurance participant affected by the breach, you may also receive a communication from PBI. Questions regarding Genworth may be directed to 888.GENWORTH.
If you have a question that is not addressed in this FAQ, you may contact PBI via the phone number provided in their communication. You may also contact Lehigh Human Resources via inben@lehigh.edu.