Financial services organization focused on retirement, investment, and insurance products.
In late May 2023, the Cl0p ransomware group exploited a zero-day vulnerability in the MOVEit Transfer software (CVE-2023-34362) used by TIAA's third-party vendor, PBI Research Services, exfiltrating data on approximately 2.3-2.6 million TIAA clients (the record reflects 2,464,625). Exposed data included names, Social Security numbers, dates of birth, addresses, and gender. TIAA notified affected individuals about six weeks later and offered 24 months of credit monitoring and identity restoration; a class-action lawsuit followed. This was a supply-chain/vendor breach, not a direct compromise of TIAA systems. (A separate, smaller incident exposed workforce data for ~23,000 employees.)
ObscureIQ assessment: Severe risk. Exposure enables retirement-account fraud, identity theft, benefits abuse, and targeted scams against people with stable long-term assets.
The exposure of Social Security numbers, dates of birth, names, and addresses for roughly 2.5 million TIAA clients creates severe, long-horizon identity-theft and synthetic-identity-fraud risk, made more acute because the affected population tends to hold stable long-term retirement assets attractive to fraudsters. The vendor origin (PBI/MOVEit) also highlights third-party supply-chain risk in financial services, and the incident drew significant litigation and regulatory attention.
TIAA (Teachers Insurance and Annuity Association of America) is a large U.S. financial-services organization providing retirement, investment, and insurance products, primarily serving people who work in the academic, research, medical, cultural, and nonprofit fields. Founded in 1918 and headquartered in New York, it administers retirement accounts, pensions, and annuities, maintaining highly sensitive identity, employment, beneficiary, and financial records for millions of participants.
Retirement and investment providers collect highly sensitive identity, employment, beneficiary, account, pension, and financial records across long-term savings and benefits administration systems.
The exposure stemmed not from a direct compromise of TIAA but from its third-party vendor PBI Research Services during the 2023 MOVEit zero-day campaign. TIAA notified affected individuals (criticized for a roughly six-week delay), offered 24 months of credit monitoring and identity restoration, and faced a class-action lawsuit. A separate, much smaller incident exposed workforce data for roughly 23,000 employees.
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Attribution and method are based on available breach intelligence. Reported attack vector: Web Application Exploit.
If you believe your information may be included:
In late May 2023, the Cl0p ransomware group exploited a zero-day vulnerability in the MOVEit Transfer software (CVE-2023-34362) used by TIAA's third-party vendor, PBI Research Services, exfiltrating data on approximately 2.3-2.6 million TIAA clients (the record reflects 2,464,625). Exposed data…
Verified fields include Date of Birth, Full Name, Gender, Physical Address, Social Security Number.
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Every claim on this page is traceable. This breach draws on:
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation