Though at least five firms in the asset management business were affected by a hack that hit a tech ally to the insurance industry. Yet for at least three of the affected companies, their asset management arms dodged the bullet.
Spokespeople with
Principal,
Prudential Financial (parent of
PGIM), and with
TIAA (parent of
Nuveen), confirm that their Nuveen, PGIM, and Principal Asset Management businesses were not affected by an
Infosys McCamish Systems, LLC data breach that came to light in recent months. Yet other businesses at TIAA, Pru, and Principal were affected, and several other firms in asset management were affected, too. (Our sister publication
401kWire covered the hack's effect on the firms' retirement plan businesses.)
The Hack Comes to Light
Though the hacking incident took place almost a year ago, it started coming to light over the past few months. On June 27,
Ron Plesco, partner at
DLA Piper LLP,
filed a data breach notification, on Infosys' behalf, with the
Office of the Maine Attorney General. The notice with the Maine AG revealed that Infosys was hit by an "external system breach" between October 29, 2023 and November 2, 2023. Also on June 27, 2024, the technology provider's team also began directly notifying affected individuals in writing.
Those notices reveal that the fall 2023 breach affected more than six million people (6,078,263, including 11,866 in Maine). Data exposed included: biometrics, dates of birth, email addresses, financial account and payment card information, medical records, passwords, Social Security Numbers, usernames, and numbers for driver's licenses, military IDs, passports, state IDs, and U.S. military IDs. In light of the breach, the InfoSys team is provided affected individals with 24 months of credit monitoring and identity theft services from
Kroll.
At Principal, Life Insurance Customers Were Affected
On August 13, 2024, the InfoSys team
filed again with the Maine AG, revealing that two of its customers affected by the big fall 2023 hack were Principal Life Insurance Company and Prudential Insurance Company of America.
A Principal spokesperson confirms that the Infosys hack did not affect customers of Principal Asset Management.
"Infosys McCamish Systems (McCamish) was the target of a cybersecurity event late last year that disrupted certain applications and systems used to service our group universal life customers. As a customer of McCamish, we received confirmation that Principal customer data for our group universal life products was subject to unauthorized access and acquisition as part of the cybersecurity event," the Principal spokesperson tells
401kWire in emailed statemet. "Principal does not work with McCamish in our retirement business, or in servicing our non-qualified book of business. We've worked with McCamish to notify impacted individuals directly on behalf of itself and Principal and provided an offer for free credit monitoring and identity restoration services."
"Safeguarding our customers' information has long been a critical priority for Principal," the Principal spokesperson adds. "Please note that no internal systems of Principal were compromised because of this incident, and no data was exfiltrated from systems maintained by Principal."
A Pru spokesperson tells
MFWire that "PGIM was not impacted by this issue."
At T. Rowe, Non-Qual Customers Were Affected
On September 9, 2024, the Infosys team
filed again with the Maine AG, revealing two more customers affected by the big fall 2023 hack. Those customers were
New York Life Group Benefit Solutions and
T. Rowe Price Retirement Plan Services, Inc.
New York Life spokespeople did not respond to a request for comment on what effect (if any) the hack had on their asset management arm,
New York Life Investments.
In T. Rowe Price's case, the hack affected some non-qual clients, a spokesperson confirms. Yet the spokesperson did not respond to a request for comment on what effect (if any) the hack had on T. Rowe's mutual funds.
"Infosys McCamish informed T. Rowe Price Retirement Plan Services, Inc. (T. Rowe Price) about the subset of less than 10,000 impacted individuals associated with nonqualified plans record kept by T. Rowe Price. T. Rowe Price reviewed the data, communicated with our impacted nonqualified plan clients, and offered them the opportunity to opt in to mailings being made by IMS to impacted individuals," a T. Rowe spokesperson tells
401kWire in an emailed statement. "The mailings to these impacted individuals were made on August 23rd and T. Rowe Price's name has been added by IMS to its regulatory filings in certain states as is customary."
"T. Rowe Price's systems were not compromised by the incident at IMS [Infosys McCamish Systems LLC] and no data was exfiltrated from T. Rowe Price systems," the spokesperson adds. "IMS provides recordkeeping support to T. Rowe Price for nonqualified plans only and there was no impact to the services T. Rowe Price provides to qualified and governmental retirement plans."
At TIAA, Retail Customers Were Affected
On September 27, 2024,
Louis Senay, managing director of supervisory affairs at TIAA,
filed a data breach notification with the Maine AG, revealing that TIAA and TIAA Life were affected by the big fall 2023 hack of Infosys. Per that notice, 8,977 individual TIAA customers (including 81 Maine residents) were affected.
Yet in TIAA's case, it was retail clients were affected by the hack, a company spokesperson confirms, but not Nuveen fund shareholders. (The notice sent to affected customers came from
Ali Iqbal, president of TIAA-CREF Life Insurance Company.)
"Infosys McCamish Systems (IMS) notified TIAA that some TIAA and TIAA Life retail customers (not institutional plan participants or Nuveen clients) were impacted during McCamish's November 2023 cybersecurity incident. There was no involvement whatsoever of TIAA’s systems or recordkeeping platform," a TIAA spokesperson tells
401kWire in an emailed statement. "We have alerted those affected customers and IMS has secured Kroll's services to provide identity monitoring services at no cost to them. Data security remains a top priority at TIAA." 
Edited by:
Neil Anderson, Managing Editor
Stay ahead of the news ... Sign up for our email alerts now
CLICK HERE