TMCnet News

TIAA-CREF Sites Are Protected Against 'Heartbleed'; Company Recommends Customers Change Passwords
[April 18, 2014]

TIAA-CREF Sites Are Protected Against 'Heartbleed'; Company Recommends Customers Change Passwords


(Targeted News Service Via Acquire Media NewsEdge) NEW YORK, April 17 -- TIAA-CREF issued the following news release: TIAA-CREF understands customers may have questions regarding the security of their personal and financial information on our websites given the "Heartbleed" security flaw on the Internet. We have no indication of compromised customer data at this time due to Heartbleed.



Steps We Have Taken We have closely monitored the situation and followed what are considered industry best practices with regard to Heartbleed. We implemented a software patch and reissued our "SSL certificates," which is software that helps verify that a site is authentic and properly encrypts communications.

What You Should Do We recommend that you change the password you use on tiaa-cref.org. Security experts recommend that you periodically change passwords, especially when there has been a potential vulnerability such as Heartbleed.


In general, there are some simple precautions you can take to help you avoid unauthorized use of your personal and financial information. For more about online security and protecting your personal information, please see the "Identity Theft" section of the "Security" page on our main tiaa-cref.org website. These safeguards, along with the secure transmission of your personal information and other authentication procedures that we use, are all geared to keep your data protected.

Q&A 1. What is Heartbleed? Heartbleed is a flaw in Internet security standards that encrypt communication between customers and websites.

2. What did TIAA-CREF do in response to Heartbleed? TIAA-CREF has closely monitored the Heartbleed situation as it evolved. We implemented a software patch and reissued our "SSL certificates," which is software that helps verify that a site is authentic and properly encrypts communication. We recommend that you change the password you use on tiaa-cref.org.

3. Do you think that any of your customer data has been compromised because of Heartbleed? No. We have no indication of compromised customer data at this time due to Heartbleed. The potential vulnerability was discovered and remedied quickly and in accordance with industry best practices.

4. What should individuals do? We recommend that you change the password that you use on our website. Periodically updating passwords is something security experts recommend you do, particularly when there has been a potential vulnerability such as Heartbleed. It's also a good practice not to use the same password for multiple sites.

5. Should I change my password for TIAA-CREF's mobile channels? The same updates to security software and certificates for our websites also protect our mobile channels. With these updates in place, we recommend you change the password that you use on our mobile channels.

6. Is TIAA-CREF doing anything else to ensure this is no longer a threat to customer personal and financial data? Keeping our customers' personal information safe and secure is a top priority for us. We continuously monitor and implement technological and procedural improvements to increase data security.

7. What is a Secure Sockets Layer (SSL) certificate that I've heard mentioned in connection with Heartbleed? A Secure Sockets Layer (SSL) certificate provides security for online communications. When a person using a web browser contacts a secured web site, the SSL certificate enables an encrypted connection. It's been described as being similar to sealing a letter in an envelope before sending it through the mail.

8. I read on the Internet that TIAA-CREF received failing grades for other SSL security tests (not Heartbleed). Can you explain this? We cannot vouch for the validity of results found on sites on the Internet that offer tests for Heartbleed and other SSL security tests. We believe our websites and SSL certificates are configured appropriately to secure our customers' information.

9. I thought TIAA-CREF had previously said that your websites were unaffected by Heartbleed, but now you are recommending that I change my password. Why the switch? We have been closely monitoring the Heartbleed situation as it has evolved. While there are no indications that customer information has been compromised as a result of Heartbleed, we recommend that you follow best practices by changing the password that you use on our mobile channels and tiaa-cref.org.

TNS 24HariCha-140418-30FurigayJane-4707881 30FurigayJane (c) 2014 Targeted News Service

[ Back To TMCnet.com's Homepage ]