The San Francisco Employees’ Retirement System (SFERS) has reported that a data breach to one of its partners’ systems occurred in late February, potentially, exposing the information of 74,000 current and prior members of the fund.
The fund said that information from 10up Inc.’s servers was not removed, but it is not clear whether the information was viewed or copied by the outside source. The retirement system was alerted to the hack by 10up one month after its occurrence and it was told that 10up shut down the server and began an investigation once the breach was identified.
The information exposed includes users’ personal information such as their address, full name, date of birth, bank routing numbers, IRS form 1099R information (excluding Social Security number), and information about their designated beneficiaries.
CIO recently published a report detailing insider tips for funds and businesses that are keen on ramping up their data security.
“Your personal financial information may be misused,” the fund said in a statement. It offered solutions for members who are interested in protecting their identity and offered a complementary year to identity protection program Experian’s IdentityWorks for those plan participants who may face an increased risk of identity theft.
In explaining how the breach happened, SFERS said, “the retirement system contracts with vendors to provide SFERS members with online access to their account information. One of the vendors, 10up Inc., set up a test environment on a separate computer server, which included a database containing data from approximately 74,000 SFERS member accounts as of August 29, 2018. On March 21, 2020, 10up Inc. learned that this server had been accessed by an outside party on February 24, 2020.”
The news makes SFERS the latest pension fund to be assailed by hackers. Last year, the Oklahoma Police Pension reported that hackers had stolen $4.2 million from its coffers, however no pension benefits to members were affected. Cyber insurance companies reported that they’ve seen a growth in customers as many businesses prepare for potential breaches.
In 2018, Rhode Island’s pension fund sued Google for covering up data breaches, compromising the personal information of 52.5 million users.