MutualFundWire.com
   The insiders' edge for 40 Act industry executives!
an InvestmentWires' Publication |
Tuesday, October 15, 2024 Nuveen and Principal AM Dodge a Hack That Hit 6MM Though at least five firms in the asset management business were affected by a hack that hit a tech ally to the insurance industry. Yet for at least three of the affected companies, their asset management arms dodged the bullet. Spokespeople with Principal, Prudential Financial (parent of PGIM), and with TIAA (parent of Nuveen), confirm that their Nuveen, PGIM, and Principal Asset Management businesses were not affected by an Infosys McCamish Systems, LLC data breach that came to light in recent months. Yet other businesses at TIAA, Pru, and Principal were affected, and several other firms in asset management were affected, too. (Our sister publication 401kWire covered the hack's effect on the firms' retirement plan businesses.) The Hack Comes to LightThough the hacking incident took place almost a year ago, it started coming to light over the past few months. On June 27, Ron Plesco, partner at DLA Piper LLP, filed a data breach notification, on Infosys' behalf, with the Office of the Maine Attorney General. The notice with the Maine AG revealed that Infosys was hit by an "external system breach" between October 29, 2023 and November 2, 2023. Also on June 27, 2024, the technology provider's team also began directly notifying affected individuals in writing. Those notices reveal that the fall 2023 breach affected more than six million people (6,078,263, including 11,866 in Maine). Data exposed included: biometrics, dates of birth, email addresses, financial account and payment card information, medical records, passwords, Social Security Numbers, usernames, and numbers for driver's licenses, military IDs, passports, state IDs, and U.S. military IDs. In light of the breach, the InfoSys team is provided affected individals with 24 months of credit monitoring and identity theft services from Kroll. At Principal, Life Insurance Customers Were AffectedOn August 13, 2024, the InfoSys team filed again with the Maine AG, revealing that two of its customers affected by the big fall 2023 hack were Principal Life Insurance Company and Prudential Insurance Company of America. A Principal spokesperson confirms that the Infosys hack did not affect customers of Principal Asset Management. "Infosys McCamish Systems (McCamish) was the target of a cybersecurity event late last year that disrupted certain applications and systems used to service our group universal life customers. As a customer of McCamish, we received confirmation that Principal customer data for our group universal life products was subject to unauthorized access and acquisition as part of the cybersecurity event," the Principal spokesperson tells 401kWire in emailed statemet. "Principal does not work with McCamish in our retirement business, or in servicing our non-qualified book of business. We've worked with McCamish to notify impacted individuals directly on behalf of itself and Principal and provided an offer for free credit monitoring and identity restoration services." "Safeguarding our customers' information has long been a critical priority for Principal," the Principal spokesperson adds. "Please note that no internal systems of Principal were compromised because of this incident, and no data was exfiltrated from systems maintained by Principal." A Pru spokesperson tells MFWire that "PGIM was not impacted by this issue." At T. Rowe, Non-Qual Customers Were AffectedOn September 9, 2024, the Infosys team filed again with the Maine AG, revealing two more customers affected by the big fall 2023 hack. Those customers were New York Life Group Benefit Solutions and T. Rowe Price Retirement Plan Services, Inc. New York Life spokespeople did not respond to a request for comment on what effect (if any) the hack had on their asset management arm, New York Life Investments. In T. Rowe Price's case, the hack affected some non-qual clients, a spokesperson confirms. Yet the spokesperson did not respond to a request for comment on what effect (if any) the hack had on T. Rowe's mutual funds. "Infosys McCamish informed T. Rowe Price Retirement Plan Services, Inc. (T. Rowe Price) about the subset of less than 10,000 impacted individuals associated with nonqualified plans record kept by T. Rowe Price. T. Rowe Price reviewed the data, communicated with our impacted nonqualified plan clients, and offered them the opportunity to opt in to mailings being made by IMS to impacted individuals," a T. Rowe spokesperson tells 401kWire in an emailed statement. "The mailings to these impacted individuals were made on August 23rd and T. Rowe Price's name has been added by IMS to its regulatory filings in certain states as is customary." "T. Rowe Price's systems were not compromised by the incident at IMS [Infosys McCamish Systems LLC] and no data was exfiltrated from T. Rowe Price systems," the spokesperson adds. "IMS provides recordkeeping support to T. Rowe Price for nonqualified plans only and there was no impact to the services T. Rowe Price provides to qualified and governmental retirement plans." At TIAA, Retail Customers Were AffectedOn September 27, 2024, Louis Senay, managing director of supervisory affairs at TIAA, filed a data breach notification with the Maine AG, revealing that TIAA and TIAA Life were affected by the big fall 2023 hack of Infosys. Per that notice, 8,977 individual TIAA customers (including 81 Maine residents) were affected. Yet in TIAA's case, it was retail clients were affected by the hack, a company spokesperson confirms, but not Nuveen fund shareholders. (The notice sent to affected customers came from Ali Iqbal, president of TIAA-CREF Life Insurance Company.) "Infosys McCamish Systems (IMS) notified TIAA that some TIAA and TIAA Life retail customers (not institutional plan participants or Nuveen clients) were impacted during McCamish's November 2023 cybersecurity incident. There was no involvement whatsoever of TIAA’s systems or recordkeeping platform," a TIAA spokesperson tells 401kWire in an emailed statement. "We have alerted those affected customers and IMS has secured Kroll's services to provide identity monitoring services at no cost to them. Data security remains a top priority at TIAA." Printed from: MFWire.com/story.asp?s=68035 Copyright 2024, InvestmentWires, Inc. All Rights Reserved |