Dive Brief:
- A retired teacher filed a class-action lawsuit against TIAA last week over the retirement fund's handling of clients’ personal data following the cyberattack on the file transfer software platform MOVEit that exposed TIAA data.
- The data breach affected some 2.3 million TIAA clients, according to the lawsuit filed last week in U.S. District Court in New York. The suit alleges TIAA did not use “reasonable security procedures and practices” to protect clients’ sensitive information.
- TIAA clients’ names, Social Security numbers, birth dates, addresses and genders were compromised during the data breach, according to the lawsuit. TIAA declined to comment on the matter.
Dive Insight:
The cyberattack on MOVEit goes far beyond the scope of TIAA’s millions of clients. It’s estimated that the ransomware group, Clop, compromised over 600 organizations and 40 million individuals in the attack. Experts also project the mass exploit will bring years of fallout.
The MOVEit data breach has impacted organizations across industries, and the education sector is no exception. TIAA is a prime example: The retirement fund provides services to over 5 million people from more than 15,000 institutions, managing almost $1 trillion in assets.
K-12 victims include the New York City Department of Education and the Minnesota Department of Education.
The lawsuit seeking over $5 million in damages claims TIAA did not encrypt stored personal data nor delete it once the information was no longer needed. Had the named plaintiff known the retirement fund would not adequately protect her personal information, the lawsuit said, she would not have provided her sensitive data.
The TIAA class-action lawsuit comes months after a state judge dismissed a somewhat similar class-action lawsuit against ed tech company Illuminate Education. The judge in that case said the plaintiffs failed to establish standing or prove any instance of actual identity theft following a 2021 Illuminate data breach that leaked academic, behavior and demographic information of 3 million students.
Federal efforts are newly underway to bolster K-12 cybersecurity and prevent further cyberattacks, especially at the school district level.
The Biden administration and its Education and Homeland Security departments last week announced plans to establish a government coordinating council to organize cybersecurity activities and communications.
The initiatives to step up K-12 cybersecurity, presented along with a White House summit on the issue, include an FCC proposal to invest up to $200 million over three years to improve school and library cybersecurity, updated guidance from the FBI and the National Guard Bureau on how schools can report incidents and cybersecurity training.