TIAA data breach exposes 2.4 million Social Security numbers

A security firm reports a major data breach at investment firm TIAA. - Photo (c) Markus Spiske on UnSplash

The investment firm manages more than $1 trillion in assets

A data breach at investment giant TIAA has exposed the Social Security numbers and other identifying information of some 2.4 million people, an internet security firm reports.

Sensitive information from TIAA on around 2.4 million Social Security numbers, names, birthdays, and home addresses began circulating around Nov. 12, according to Atlas Privacy.

Clients of TIAA can check if their data is exposed at Atlas Privacy's Databreach.com website.

TIAA is one of America's biggest investment firms, managing more than $1 trillion in assets.

A spokesperson for TIAA said that the data breach stems from a mid-2023 vulnerability with a vendor that used the file transfer app MOVEIt, which has exposed hundreds of companies.

"We have been made aware that illegally-obtained TIAA client data has been made available," a TIAA spokesperson said.

"This is neither a new incident nor a security breach of TIAA systems," the spokesperson added.

What to do after a data breach

  • Follow the letter: Companies should send out a letter if you are a victim of a data breach. Read it carefully to get more details about what data was exposed and the steps the company recommends you take.
  • Freeze your credit: Contact each of the three credit bureaus, Experian, Equifax and TransUnion, and get your credit frozen so a criminal can’t open cards or other lines in your name.
  • Credit monitoring: Sometimes, companies will offer free credit monitoring or other services after a data breach.
  • Reset passwords: Change your passwords and use different ones for services.
  • Use a password manager: LastPass and services built into web browsers such as Google Chrome and Microsoft Edge can create and store strong passwords for you.
  • Opt out of data collection: If you have the right in your state, you can email services you use to request they don’t collect your data for the use by third parties.
  • Request to have your data deleted: For services you don’t use, ask to have your data deleted. California and other states have written this into law.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.