Skip to main content

Pension Benefit Information – PBI Research Data Breach | MOVEit

The Lyon Firm is investigating the data security incident involving the MOVEit transfer software and Pension Benefit Information (PBI Research) data breach. Contact the firm for a free consultation. We have filed a class action complaint, and you are encouraged to join the suit. 

Pension Benefit Information (PBI),  has begun contacting over 1.2 million individuals to alert them of a recent data security event. Those seeing the data breach notice letters are receiving them because PBI provides audit and address research services for Fidelity Investments, the provider of administrative services for several retirement plans.

The PBI Research data breach stemmed from an attack in May 2023 on the file transfer software MOVEit, which has impacted hundreds of financial firms, universities, the U.S. federal government, retirement systems, and healthcare entities. The entire breach is thought to impact tens of millions of individuals globally.

Pension Benefit Information provides pension management services and its clients include insurance companies, financial institutions, and third-party administrators.

What Can I do after a data breach?

Data breaches have become increasingly common as cybercriminals have found great value in stealing personal information stored online. Companies that collect and store data online have not kept up with these cyberattacks, and online security often lags. As a result, consumers are continually dealing with new data theft incidents.

There isn’t much you can do to prevent these incidents as a consumer, but after an alert, you should take certain measures to try to limit the damage. It may seem overwhelming after you are hit with numerous data breaches in the same year. But you should try to protect yourself from fraud and the risk of identity theft.

First, read the data breach notification you received and make sure it is an official notice. Some scams involve contacting individuals and saying there’s been a data theft event and that they need to confirm your details. Contact the organization and try to get as many details as they will offer. They will likely be hesitant, and you may need to contact an attorney.

Second, try to identify exactly what information was compromised. If your health and financial details are leaked, for example, you may need to lock down more than if your contact details were compromised. Healthcare data theft can lead to medical identity theft, and obviously any financial details are very sensitive.

Take action as soon as you can and begin to change your login info (pins and passwords). It’s best to always enable a two-factor authentication, review your accounts for any signs of fraud, and update your software.

Contact the company that initially contacted you. Gather as much info as you can to build your case against any negligent company.  As a consumer, you have a right to understand what happened and how you were impacted. In the very least, they should offer you free identity theft protection, credit monitoring, and/or other services.

Request and review your credit reports from all the major credit bureaus, which include Equifax, Experian and TransUnion. You can request one free copy each year from each of the three major consumer reporting companies by visiting Look for any new and fraudulent accounts or any activity that could signal identity theft.

In some cases, it can be best to consider placing a fraud alert or credit freeze on your credit to prevent unauthorized access. It is free to place a freeze on your credit report.

Last, contact an experienced data privacy lawyer to investigate your case. By filing a class action lawsuit, you can be compensated for damages and find justice in holding any negligent company accountable for their actions.

The Pension Benefit Information Breach: What Happened?

In May 2023, Progress Software, the provider of MOVEit Transfer software, disclosed a vulnerability in their software that could have been exploited by an unauthorized third party. The alleged hackers accessed a MOVEit Transfer server on May 29, 2023 and May 30, 2023 and downloaded personal data.

Pension Benefit Information (PBI Research Services), has said the protected health information of up to 1,209,825 individuals was exposed and potentially stolen by the Clop ransomware group in the attack. PBI said the breach was discovered on June 2, 2023, and that a patch to fix the flaw was applied, though that was too little too late. The damage was already done, and data was stolen in the days prior.

A forensic investigation confirmed that the servers were accessed by the Clop hackers on May 29 and May 30, 2023. The files stolen included names, addresses, dates of birth, and Social Security numbers. 

All the details of the breach are not yet known, though very sensitive personal data may have been leaked, including Social Security numbers. Several insurance companies have been impacted in this attack, including, Milliman, CALpers,  Nuance Communications, BMO Bank and MassMutual Ascend.

Can I Sue PBI Research?

Legal action may be necessary when a company fails to safeguard consumer data. We feel very strongly that if a company is going to collect and store your personal data, they have a duty to properly protect it from hackers. The idea of cyberattacks is not new, and companies are aware that they are a target. They have a duty to build and maintain a reasonably secure system to prohibit ransomware gangs from stealing consumer data.

When a breach does occur, and individuals are left scrambling to stave off fraud and identity theft threats, filing a lawsuit can be helpful in a number of ways. First, compensation is expected when a company costs you time and energy and the future threat of identity theft. Also, when companies are hit with lawsuits, it encourages them to change their behavior so the same mess does not happen again. Justice can be served, and make the consumer marketplace safer in the future.

The Lyon Firm has experience representing plaintiffs nationwide in class action privacy lawsuits and data theft cases. Contact the firm to learn more about the MOVEit attack and to discuss legal action. There are ongoing PBI Research class actions you may be able to join, or file a new claim. We represent plaintiffs in all fifty states.